Steal Everything, Kill Everyone, Cause Total Financial Ruin!

Video thumbnail (Frame 0) Video thumbnail (Frame 829) Video thumbnail (Frame 3978) Video thumbnail (Frame 5554) Video thumbnail (Frame 8085) Video thumbnail (Frame 9044) Video thumbnail (Frame 10930) Video thumbnail (Frame 11954) Video thumbnail (Frame 14441) Video thumbnail (Frame 15507) Video thumbnail (Frame 16879) Video thumbnail (Frame 18332) Video thumbnail (Frame 19113) Video thumbnail (Frame 20583) Video thumbnail (Frame 21520) Video thumbnail (Frame 23030) Video thumbnail (Frame 24390) Video thumbnail (Frame 26220) Video thumbnail (Frame 27091) Video thumbnail (Frame 28245) Video thumbnail (Frame 29076) Video thumbnail (Frame 29934) Video thumbnail (Frame 30801) Video thumbnail (Frame 31685) Video thumbnail (Frame 32489) Video thumbnail (Frame 33335) Video thumbnail (Frame 34128) Video thumbnail (Frame 34917) Video thumbnail (Frame 36280) Video thumbnail (Frame 39174) Video thumbnail (Frame 41001) Video thumbnail (Frame 42179) Video thumbnail (Frame 43043) Video thumbnail (Frame 44183) Video thumbnail (Frame 45019) Video thumbnail (Frame 47738) Video thumbnail (Frame 48931) Video thumbnail (Frame 50895) Video thumbnail (Frame 53754) Video thumbnail (Frame 60823)
Video in TIB AV-Portal: Steal Everything, Kill Everyone, Cause Total Financial Ruin!

Formal Metadata

Steal Everything, Kill Everyone, Cause Total Financial Ruin!
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area

Related Material

Video is accompanying material for the following resource
Slide rule
Boss Corporation Turbo-Code Group action Building Firewall (computing) Multiplication sign Physicalism Incidence algebra Total S.A. Process (computing) Strategy game Spherical cap Software testing Figurate number Information security Traffic reporting Writing Vulnerability (computing) Physical system
Code Execution unit Video game Bit Right angle Special unitary group Figurate number Information security Neuroinformatik
Goodness of fit Building Bit rate Feedback Expert system Content (media) Mereology Rule of inference Information security Metropolitan area network Social engineering (security) Number
Area Personal identification number Building Sign (mathematics) Process (computing) Spherical cap Closed set Right angle Lattice (order) Mereology Information security
Group action Hard disk drive Mass
Execution unit Email Server (computing) Link (knot theory) Key (cryptography) Multiplication sign Hyperlink Letterpress printing Online help Process capability index Rule of inference Neuroinformatik Type theory Software Personal digital assistant Chief information officer Video game Convex hull Office suite Series (mathematics)
Data management Bit Family Relief
Data management Building Data management Building Planning Mereology
Laptop Arm Ferry Corsten Code Multiplication sign 1 (number) HTTP cookie Traffic reporting
Laptop Code Direction (geometry) 1 (number) Information security Number
Laptop Key (cryptography) Right angle
Slide rule Film editing Key (cryptography) State of matter Device driver Plastikkarte Game theory Family Information security Row (database) Electronic signature Identity management
Category of being Data management Key (cryptography) Quicksort Gamma function Mereology Information security 2 (number)
Area Mechanism design Greatest element
Ring (mathematics) Total S.A. Right angle Water vapor Physical system
Videoconferencing Right angle Table (information)
Object-oriented programming Hacker (term) Right angle
Point (geometry) Kälteerzeugung Bit
Area Social engineering (security)
Service (economics) Information Computer Number
Data management Hacker (term) Disk read-and-write head Social engineering (security)
Arithmetic mean Window
Area Touchscreen Information Code 1 (number) Coroutine Incidence algebra Disk read-and-write head Neuroinformatik Angle Website Office suite Information security Thermal conductivity God
Area Thread (computing) Network topology 1 (number) Office suite Binary file Information security Bookmark (World Wide Web)
Point (geometry) Malware Server (computing) Workstation <Musikinstrument> Hard disk drive Total S.A.
Server (computing) Password Poisson-Klammer Mereology Bookmark (World Wide Web)
Suite (music) Password Multiplication sign Determinism
Personal identification number Antivirus software Causality Password Streamlines, streaklines, and pathlines Determinism Data conversion Mereology Digital video recorder
Personal identification number Slide rule Group action Website Bit Selectivity (electronic) Student's t-test
Hoax Divisor Execution unit Zoom lens Branch (computer science) Login Neuroinformatik Number Power (physics) Hacker (term) Thermal fluctuations Operator (mathematics) Videoconferencing Office suite Traffic reporting Personal identification number Area Boss Corporation Electric generator Inheritance (object-oriented programming) Spyware Expression Lattice (order) Tablet computer Data management Process (computing) Software Auditory masking Right angle Reading (process) Reverse engineering Row (database)
Area Context awareness Email Key (cryptography) Link (knot theory) Papierloses Büro Multiplication sign Forcing (mathematics) Keyboard shortcut Execution unit Electronic mailing list Device driver Bulletin board system Mereology Type theory Data management Process (computing) Password Intrusion detection system Website Traffic reporting Information security Position operator Physical system
Meta element Axiom of choice
this is my talk I want you to understand I have to start with this slide because I'm gonna say things that might sound a little you know bad mean spiteful mean hateful you know all those other adjectives I'm adorable okay I'm a wonderful fluffy person and stuff you know who does not like doing bad things unless people pay me I would never try to kill you unless you pay me to try it okay I promise so so when I tell you those really harmful terrible things I'm gonna be talking about let's just remember the kittens okay toddle my talk steal everything kill
everyone calls total financial ruin or I walked into misbehaved quite simply it's because of the security fails it's like I'm gonna explain to you that the physical security and stuff you know is one of our biggest weaknesses because people can understand two-dimensional versus three-dimensional when they're walking up to the front door Jason e-street I have lots of letters behind my name I promise let's start off with Who I am
I've got a day job at a night job my day job is I'm the a VP of information security at financial institution my boss is going to love this on Monday what I do is I work in a cubicle with a lot of cool action figures around it I monitor firewalls i watch ids systems i build out our infrastructure i find more creative ways to secure it and to go after people who are coming after us and I do all the day-to-day blue team stuff I'm my main job is blue team is defense ok on the my night job is the CIO CIO strategy one solutions where I do pen testing maybe like three times a year and stuff you know it's like basically I do speaking engagements like this around the world it's like I've written a book dissecting the hack and I also do some other writing and that's what I do at night so I respond to incidents during the day I create incidents for other people at night so best of both worlds I love these pictures because you see the first picture with the baseball cap that was me standing outside for an hour in front of a industrial park building secured facility on a Sunday with no traffic and the security walks by twice and did not think to stop me and ask me what the are you doing on the sidewalk just watching our building and he didn't put in his report either so bad on him the second picture you know looking dapper in the glasses is actually going to apply for a job yes I'm wearing a black cat collared shirt because I like to come with warning labels and and I did not get the job unfortunately I was way under overqualified for that one I did get their data so you know win-win these
are my two favorite pictures of engages I've been on the the one I'm wearing the I'm a liability shirt I think is the best one because I stole a car in that shirt I was at a hotel off the coast and the valet gave me the car and I had explained it was like I can't get in this car right now and he's like why says well because I'm stealing it it's like they paid me to do an assessment I'm a liability and yeah it took him a while to figure that out and so finally I had to say you might want to take this back I think the owner is gonna want it the second the the next one is my favorite one of the most secured facilities I've ever seen in my life right across the street from Ground Zero SWAT teams you know with k9 units with their machine guns walking through the concourse eight security guards in the main elevator lobbying stuff not including the business lobby that's me in the upper floors wearing an actual valid badge and a shirt that says your company's computer guy I like that I like that picture a lot then we'll get more to that story in a little bit so I do have a CISSP I think
the Code of Ethics say that I have to put a Sun zoo quote my talks there it is we're the intro halfway through so far
so good we're gonna talk about the one fact that we have to face when we're dealing with this subject we're talking about the two rules that I go by when I'm doing an engagement and the three outcomes from those two rules and hopefully a good conclusion discussion let's face it you're going to the award ceremony right after this but still we can we can hope why this talk I gave a
talk last year on the thirty-six stratagems talk about the beginning of social engineering it was talking about things that you could do to try to get into the buildings that was the part one and quite frankly I got some feedback afterwards going psych man chase and that's some basic concept stuff you know it's like you weren't showing any kind of NLP or because I can't I am NOT a professional social engineering expert I don't know about NLP I don't know the psychology facial-recognition mind ninja techniques I still get in I have a hundred percent success rate of getting in to facilities when I'm doing a social engineering engagement so it's not that I'm not great trust me anybody will tell you that it's our security is that weak so these are educational and hopefully in the funny way kind of talk just to give you an onset of where to go look for more stuff and then hopefully have a good chuckle while you're doing it okay you're not going to learn anything new but hopefully you'll remember something that will make you go look at something else and and you'll be better for it so this is part two because now I'm not talking about the social engineering part so much as this is all the damage I'm going to do after your security guy let me through the front door because number
one fact I'm getting in okay this is the I took this picture I kid you not I'm going to meet the guy for the first part of our meeting and as soon as I opened up got into the concourse and I saw the the door the employee door for the secured area I was like oh you got to be joking me I walked right over pushed one three five guess what I got you just I would have tried five three one or three one five you know I would try it but look see how they rubbed off if that means she didn't look at the guy's face when I showed up ten minutes before I'm eating and no one knew I was there so that was fun here's the other
one I went to go to apply for another job and when I'm on these engagements I like to be bad so when I signed in to the receptionist I stole the pin so I'm a bad guy was what we do so as I go as soon as I finish getting the pin and signing in I ask to go where the bathroom is it's not because I drink so much freakin Diet Pepsi it's just because I get lost very easily and I will wander buildings looking for that darn bathroom for hours if you can't believe where it work the things I can get into well I'm going through and I actually happened to stumble into the secured area part of the employee area while I was looking for the bathroom I found the employee entrance and this is like the the security guy at this facility actually bragged about their million-dollar security system and I looked at the door and I saw this little rod thing and stuff you know that was the what was latching the door with and I said like only if I had a condom or something you know that protect that little rod and keep the door from cute the door closing and then making it latch and then I remembered oh wait I got a pin so I took the pin that I stole put the cap on the rod the door shut perfectly and it didn't latch so I leave it's like I come back in about 20 minutes or so it's still there I'm now in the secured facility and no one knows so that was fun I am NOT a Oh actually we're right
here okay so I'm not a master locksmith I tell people I don't have to be a master locksmith okay if your people will let me through the front door okay I don't have to be a massive ninja coder which I'm not it's like if I can just steal the hard drive with all your data here some of my master lock picking
skills in action I'm terrible with the lock dicks but I'm awesome with cardboard so here's another
key I love forging emails and putting them on iPad the key is to put them on iPad if you forge an email and print it out they're gonna look at you fake oh this is you just you just type this up you put it on an iPad the blue hyperlink stay a hyperlinked and also it's like it's on an iPad it's magically you must be telling the truth it's like so it's like so they're gonna go and say you know okay it's like so I was up in that secured facility in New York the network guy oh 'test an unusual amount of traffic coming from the CFO's assistance computer and is going to their main server and was warning what was going on it was me and so he comes over and he asks it's like what's going on what are you doing and I start telling him exactly why I'm there I spent two hours on Google creating this email making it sound like the owner the new owner of this company was upset and sent an email to the other company that he owns to send one of his guys out and to go and look at the network and I made it sound very political I made it sound like there was urgency and that they were supposed to be surprised so no one was new uh supposed to be there so I showed this to the the networking guy well he sent me to his office we went to his office and we talked to the CIO for about 10 minutes and the employee then started to escort me around to all the other computer desk and stuff you know so I could plug in my mount where and I had an employee escort so I had to be okay so it's like I actually can finish the rest of the engagement and stuff you know having someone help me and make sure that the people knew I was okay to be there and plugging in my USB devices and doing whatever else I needed to do so I really love that email I've got two
rules but guess what looking for PCI is not one of them I don't care about your hippo or hippo I don't care about sarbanes-oxley I don't care about your ISOs and unless they're got Linux on them I don't really care I just want to f you up I just want to mess you up in the worst possible way I want to be the worst thing to ever happened to you at the worst possible time okay remember the kittens so this is where I got my my two rules I got them from serenity which was based off the series uh Firefly which Fox cancelled many Dinah fire and the two quotes are very simple I aim to misbehave and let's go be bad guys that's it I'm just trying to do bad to team it up it's life you know red
team it's like don't act surprised when we try to kick you below the belt it's like bank managers are still being kidnapped today taken to their home their family held hostage overnight until they go open up the bank for bank robbers that's not funny that's real this stuff still happens another thing is this is one of these
things that we people talk about this is not a new concept what we're doing this is from 1992 the movie speakers it's like so people hire you to break into their places to make sure no one can break into their places it's a living well this one's old now because it's not a very good one it's gotten pretty good now business is pretty good with this but this is a concept it's not new it's something that we still have to keep revisiting stuff you know better people than me talk about it a little bit more technically and stuff you know like I said I'm the comedy relief on this but let's keep going
so another thing we have to understand is management is not proactive they are reactive so the Dana Irwin said in 2008 the best way to get management excited about his astir plan is to burn down the building across the street hello everyone I like to introduce myself I'm the fire so what we're gonna get to now is we're gonna get to the fun part and the fun part is talking about
all the different ways we can start those fires okay I love this one this is
this is what I call the trifecta of bad because yes I stole the phone or cloned it yes I've got the laptop 30 laptops unsecured in this facility they had no laptop lock cables because they were secure by the time I did the exit interview I started seeing laptop lock cables which was good for them also the Bosch because you know my arms may get tired I might need to take make trips so it's like so had me an employee badge I appreciated that okay I am I do feel bad about this
one because I am a CSS P I have a code of ethics so please no one report me let's make this off-the-record I'm sure no one's watching not about the laptop because I have no problem stealing the laptop I mean the guy left the cable on it for him he was just giving it to me and I'm not talking about the screwdriver because I need to steal something maybe you know that was bolted down because you know I like to be thorough I was a little hungry and I stole one of the cookies I'm sorry okay let's go on I love this because you know
people expect security not to be that thorough so they get their laptop blocked cable they're told to fasten it to the desk but that's hard you have to bend down so let's just look that cable over the the desk and no one's gonna pull it and you know what most security doesn't pull the cable to see if it's actually secured but I'm not security I'm the thief I'm gonna pull the cable I'm gonna try to steal it all so kudos
for this guy because he had it firmly attached to the the desk he had it he had it locked his laptop but I'm telling you when it's the code zero zero zero zero I'm gonna try that one I'm gonna try one one one I'm gonna try nein nein nein I'm gonna if you're a geek I'm gonna try zero zero zero seven so sorry about that one also they like to move the wand this is like the last number or the the top number they'll move one in either direction and that's it's that way they can just go dink I'm unlocked think I'm locked I'm gonna try those also when I'm in engagement
I'm going through all your drawers wait hold on they did something right I'm gonna go through all your desk and your cabinets okay and I'm gonna be looking for stuff because nice honest and pull coworkers are not gonna go looking through your desk I'm not a nice honest and coworker this guy had his laptop locked totally correct everything was right and then he put the keys in his top drawer so now denial today I steal his laptop but now I have a nice really shiny laptop cable and said you know I can protect from someone stealing it because I hate when they steal my stuff that I stole Laurie's why this picture was in
here is because I stole the iPod because that's like totally freaking retro how awesome was that this is another
trifecta it's like I stole the purse stole the car keys and yes I stole a phone let the record state I did not steal the lunch okay I felt really proud about that but but now let's hold on let's let's cut it for a second I took the car keys took the driver's license out of her purse I didn't go to the parking lot to find out what car it is I unlocked the car I go back and put her car keys back she comes back after work I'm in the backseat with a gun telling her that I've got her driver's license showing with I know where she lives that I've got people there that will kill her family if she does not go back into that facility steal all their data that I need and then come right back out and that we're tracing and we've got our phone cloned and we can monitor it employees need to know that their personal belongings are theirs but the impact can be severe for them as well as the company that's why they need to secure their stuff now let's remember the kittens real quick okay when you
have this mini frowny faces on a slide you're just f'd okay it's just game over you literally gave me a blank check to steal your your credit and your identity and trust me my credit sucks so I'm taking it you know thanks for leaving the Social Security card there because it's got your signature on it so I know exactly how the forgit it's like that was very helpful not many people are that kind so oh when I stole the first
car the guy sort of cheated and let's some people know that I was going around and doing stuff like that so I said we'll screw you a two o'clock in the morning I walked in grabbed three Mercedes Benz and a Beemer and just took him with me less than 66 seconds so Nicolas Cage beats that the look on the guy's face when the manager of security was faced when I walked to him and I dropped him those four keys was priceless I wish I could've included the picture but it's on my desktop at my home so so some countermeasures
employees need to know that this stuff matters for them as well make sure they're locking their desk securing the property they secure their property at home they secure their property after in their car they need to secure their property at work also no no tailgating you've got to make sure that they understand that they shouldn't tailgate it's like they shouldn't because you know what I'm doing I'm coming in the wheelchair and I got like four books and it's like oh man Jason you're a douche bag and I'm like yes I'm a bad guy I'm trying to steal from you do you really think I care that you're gonna feel a lesser about me because I'm not supposed to be in a wheelchair no I'm evil it's like so what I'm gonna do is I can trust me when I go up to that door and I got these books you're really going to the asshole who's not gonna let me in the door I mean seriously no you're gonna let me in and I thank you for that your employees not going to your employer's not going to but I will now also if you see some see something say something you don't have to personally tackle the guy if you think he's suspicious okay you do have to call security you need to start empowering the employees to understand they are part of your security team and they need to start acting like it so yeah here's the real warm and fuzzy
side we're asking to talk about how you know to kill everyone because that always brings up a crowd on a Sunday night this was a taking pictures at 2:30
in the morning I'm in a hotel sub where different hotels in the car and I'm inside a mechanical room I'm wearing Pepsi pajama bottoms over some cargo pants with some really bad things and a white t-shirt and I'm barefoot because I took all my clothes off in the bathroom and the guest area of the hotel and changed him to that and then started walking around and see what I could do I could do a lot because you notice one
important fact in this picture there are no padlocks on any of the switches I will tell you this right now I've got some OCD like you wouldn't believe okay if that's which is on I'm turning it off if that switch is off I'm turning it on and it by golly if there's a red button I'm pushing it twice okay that's just how I roll okay now I want you to understand I'm not a total jerk okay it's like because yes I'm going to start a fire in this room and yes it's gonna have some poisonous chemicals in it so the smoke will go through the ventilation system that's right there but I'm not totally terrible because I mean it's 2:30 in the morning who wants to get woken up at 2:30 in the morning listen to this Bing ringing alarm sound going off so I'll
thalamus the alarm system for you because it's like I mean I don't be rude the only thing worse than having that alarm going off in your ears and stuff you know someone throwing cold water on your face when you're trying to sleep I'll turn the sprinkler off system off
for you - okay it's like I don't want anybody to get all you know wet and drenched and stuff you know there's a fire going on that'd be dangerous oh wait huh yeah maybe not okay so another place that I like to I think
it's great to kill people is the kitchen it's like this guy didn't even ask who I was there but you know most people don't so just to bring that home here's a nice
little video is there any law enforcement from Malaysia in here okay this was good this was a video that I took in Malaysia in a Malaysian hotel I was wearing this shirt and I'm in Malaysia I don't blend well so let's see what happens there we go
I didn't edit this video because I want you to think you know stand against like
you made it yourself look or something like that no say you'll get to see me doing
exactly everything that I did including right here where I should have turned
the other way but I turned this way but
I didn't know what to do why so let's walk down this corridor first yay
I'm walking as fast as I can and if I
want to steal some tables there I go I was like wow that was a letdown I'm sure
I'm gonna pressing people that are in the audience right now it's not sight to
keep going I'm a hacker we don't give up
the first try right
so now if you get motion sickness or seasickness
take Dramamine or look away for a second
okay because this gets me
what a joke
so I come up against this door here and
I'm thinking oops there we go so I come
up against this door and I'm thinking oh
this is all so the reason is because
it's secured and it's got stuff in there that you want protected so you put a padlock on it but then you don't padlock it so one thank you for that what could you be protecting I don't know let's see here oh I did not go in there with an
Uzi or an ak-47 I did not bring c4 with me I just walked out of that closet with napalm I just walked out with poison so let's see what I can do well first I
gotta find a place to do that that's going to be a long search you know looking for the proper place to deploy
this kind of stuff let me turn around and oh I'm in the
kitchen that was quick
so let's walk through here everybody say
hello to this guy he didn't say hello to me the jerk I'm if it was a little bit
later at night I'd be you know tampering
with right there's the refrigerator for the food supply I would destroy your
food supply even if you detected that it was poisoned it would be useless you'd
have to destroy all of it that's me that's the point it's right there here
I'm going into another room I could have
gone to some of these other doors I wasn't really trying especially since I didn't have permission I mean I meant
since they didn't know at first it's
like they said it was okay first afterwards here's the mechanical areas
this is where I started my mechanical fires using the napalm you noticed those
two guys there so I have to use social engineering countermeasures let's listen
my countermeasures hey how's it going it
was going okay and then I kept moving so
here we go through the rest of it that's just me showing you more places that I would spread the napalm
I like seeing a bomb
one of the other things you notice that they protect guest information really
well you know in the computer systems
you know you can't go to the front desk and ask where someone's staying but obviously you can walk into the kitchen because every person their room number and their name is right there for room service so that's pretty low-tech now I'm going through this and I'm thinking
to yourself like you're saying well
Jason are you just walking around the freaking place what's that well basically first of all dude I told you I
was showing you the physical stuff not social engineering but since you asked
let's go try do some social engineering because let's see what happens if
someone notices me so I'm gonna go talk
to the head chef in the manager of the hotel so I asked what he's using Wi-Fi
or cable I got an iPad and I've got my hacker shirt I was like using Wi-Fi I'm clutching on the step you know and he's saying
I love the way they smiled and like the guy in the back window was just like you know photobombing means signal what it's like and I just left that was it so that's how easy it can be and it's like and we talk about social it's just easy as just saying how's it going and stuff you know and talking to someone people don't expect bad things to happen until they happen so some of the
countermeasures one of the key ones that I could not stress enough is create a codeword make sure people understand that first of all make your employees understand that this stuff happens workplace violence happens I mean for gosh sakes I got this information off of workplace violence it happens too often they've got a website for it for gosh sakes that's depressing okay so you got to understand that that happens so set up a code I tell people you especially with receptionist code oh my God he's got a gun run panic we're all gonna die is not the best code okay it is effective it does you know raising but it may not be the best I always tell them to suggest something like a code periwinkle mister periwinkle to HR mr. periwinkle to HR and I'm hoping that someday someone Institute's an actual code periwinkle cuz I think that's just funny saying periwinkle another one is conduct routine safety checks not just safety checks of your equipment but of your people as well I when I walked around for an hour I noticed one thing at that facility there was this one door that I could easily Jimmy and it had a camera that was right over it but I couldn't tell by the angle because where the other two cameras were spaced if I walked diagonally from the other parking area they wouldn't see me except for that one camera and if that camera was angled at the right way I could totally bypass it so I talked to the former head of security there and I told us like dude it's like this is what walking in and he's like whatever it's like come with me he takes me into this office the Security office it was empty showed me the computer screens though the TV monitor screens they were all turned off he turns them on the one camera that was not working was that one I've looked him dead in the eye and I said no serious it's like oh I guess I wasn't the only one that had that idea you may want to check your inventory I did mention he was the former head of security at that facility ok good ok so
let's talk about you know financial ruin let's talk about that espionage and and I hate to break some people's feelings and stuff you hurt some people's feelings and and just say it's not just the Chinese ok 70s the 80s 90s it's like the French were doing awesome with it so sorry too you know didn't salt actually I'm confident my French friends because they did a great counter espionage thing with the CIA and stuff back in the 90s at the Boeing incident you can google that one see I wish he wouldn't so that was fun so let's talk about some of things you can do there once again this
mini frowny face is not good because you know what I'm an environmentalist I am do you know how many poor senseless trees die every day due to those printouts that you lead beside the printer well you know what they will not die in vain when I visit I'm taking all of them I'm gonna liberate those trees I'm gonna liberate all and you know what I'm such an environmentalist I will take the ones that are still printing out just to make sure you don't forget them those trees will not die in vain when I'm there it's like you know another like and this is so sad this is actually a deal work comic strip is that they
still use thread bins to put all your you're telling me all your confidential data all the stuff that needs to be shredded let's put in a big blue bucket this is all the confidential and this is done in DC and this is done in financial institutions this is done in like DoD contractors offices but what my favorite is the DoD contractors office the the it's a secured area the office but the office the actual offices of the executives they're actually secured blocked where security cleaning crew can't go in because of all the top-secret data so what do they do at night they put the blue bucket outside their door yes that's awesome I mean I mean I'm sorry it's awesome for the bad guys oh dude
yeah when I get to the point where I could just stick malware into your hard drive it's just gonna be a fun night for me not for you that really yeah DEFCON get with it one
thing we're going off your workstation is when you see that USB Drive in your exchange server it's not gonna end well for you okay I know where that USB drives been you don't want it in your exchange server okay and I mean and you're thinking it's like what kind of damage is something you can do going after our exchange server ask HBGary but we can go and say well then how about
your accounting server being the 25 other employees that are also me there are now getting paychecks from you say well it's okay it's not gonna be too bad or I could just do the wire see if this
was like for my part one talk you know just do a wash and putting a traffic sniffing passwords are hard you got to configure all the stuff in Linux you got the bar like I said I'm not that technical I'm not that you know bright it's like a well I'm I just get them off
your monitor okay I love this one I actually tried Brackett leave blank bracket first I gave them the benefit of the doubt okay and yes it was just hittin her this is my favorite of all
time you know why because this was at a pharmaceutical bio whatever research lab of stuff you know where I'm supposed to be done with rocket scientist write the password first of all they shouldn't have written it down at all but the password was that scratched out was actually an alphanumeric special character password it was very complex and it was hard so they scratched it out and put it to welcome so and it was all lowercase I tried the capital first because you know they're rocket scientists the one thing
worst and seeing me in Pepsi pajamas you know ask material is actually seeing me in this suit because if I'm in this suit I am out to screw you over terribly okay because I'm wearing my best to do I call it the Vesta doom
because I think it sounds cool when I'm reliving my childhood if you want to know more about the Vesta doom and all these little toys it's in my part one
talk that I did last year and it's like what those uh but now I want you to know I've got a best of doom 2.0 let's let's see some of those things okay I've got some video recorder USB pins right here not on my keeping one in my pocket I'm going to actually be going in and leaving them in your little cupholders that you leave so I can record you two logging in your passwords carrying on your conversations things like that so that's awesome if I'm the tech guy I got my nice little handy 8 gig USB flashlight video recorder that I'm still your data off of and as you remember that a little bouncy dream I mean that was because it was taking on my 4 gig audio video recorder watch when I walk into your facility I'm a walking talking Google Street car okay I'm capturing everything I can now I got another device institude that to my 2.0 vest this was something that was given to me by a three-letter agency in DC I'm not the only reason why he gave me this this device and stuff you know which cost billions of dollars research he said was that I was to never talk about it in public so this device he gave me is actually a USB keystroke logger it's undetected by any antivirus you can plug it in it's very streamlined it's undetectable stuff you know it's very hard to spot when you actually plug it into the vise and it records all the keystrokes you're right I'm lying I got it off a
ThinkGeek think geek I like to put this for you know for the Q SAS if for your for your executives you know that you want to talk about this slide students have you know and tell when you get back and tell them about these things let them put it in a different way that they understand a little bit better the risk
matrix available at a geek and gadget website well we've discovered that too near certainty okay being able to log the CEOs keystrokes yeah I'm gonna go with catastrophic on that one now you see all these other devices you see all these pins you guys those were required it's like you know from a very I mean you have to be a select group of people okay to be able to get access to that kind of technology I mean I think everybody is familiar with that kind of that kind of access I think everybody here has that access it's called frequent fliers I mean you
talk about hackers needing this kind of data okay I'm an accountant I really hate my boss I really hate my job I want to go somewhere I want to steal a whole bunch of stuff from the company first how can I do that oh I'm on this flight oh look SkyMall oh I can put key log stroke keystroke logging and spyware on his my boss's computer oh I can you know have a USB recorder and stuff you know pin and take video of our company secrets and yes I can actually have a voice recorder so I can record our top secret confidential conference meetings this is not hard that is one of the biggest things you hear I see these talks and it's like these guys are like the rockstars and they're like they're two super elite and stuff you know and they deserve all the credit and all the stuff but I'm telling you it's not just that I'm the reverse of that I'm the guy saying it's so easy even I can do it okay it is like it's just the general stuff people are so busy protecting their stuff from these very high-level attacks they're forgetting oh sqli oops sorry Sony you know it's like it's sometimes it's a low-hanging fruit it really is the low-hanging fruit they're going to go after so you've got to be protecting that as well you got to be protecting from these kind of threats as well this is one I love this one I took
these pictures this is a the pony plug from Pony Express I took these pictures at a bank branch off on the on the west coast and I did four branches four attempts for successes after the fourth one they told me to stop the reason why is because I walked in I was wearing a blue DEF CON shirt work shirt I come with warning labels and I told it's like I'm here to check we have been having brownouts at the corporate office and we need to check to make sure that the power fluctuations aren't affecting your operations here so I'm gonna need to do is on the plug this device into your here plug into the network so it can take the readings and report back to the home office exactly what's going on and by the way I need to go in and check your make sure all the computers have proper power surges and UPS units working they I used a face false name that I had no idea or dent ofin for I used a fake company and a fake phone number I signed into their vendor log if I would have come in there with a ski mask and a shotgun every single person would reacted exactly the right way they've been trained to handle that they were not able to they did not expect the geek factor and they walked me through the teller area the drive-thru area and through the back rooms where the actual money is not too shiny little vault thing but the big safes with the actual money in it what kind of damage could I have done but I did do was I plugged in my pony device this one with the power unit instead of me I see the power UPC on the right I like that one the best because I had to get the bank manager to get out of receipt so I could plug it into behind her desk and what I do right after that it's like I can I don't have to go to my car I don't have to phone home I go to the bank lobbying I've got backtrack five on a zoom tablet and it's like I've got it already connecting to the Pony Express I'm pawning you before I even get out your door okay so what are some
of the countermeasures there's only one major countermeasures people okay and that quite frankly is just going to be stop printing what happen to this paperless office for gosh sakes it's like make sure you're doing proper DLP making sure you're talking about.we there was a recent report about how some of these data leakages are mostly coming from insider and threats from the actual employees themselves so make sure you're watching you're doing due diligence making sure that not everything is being shared open so now what can we do like I
said I'm the blue team I like that when we win I love I am I kid you not I am rooting so hard for the good guys when I go on an engagement okay I mean I look at some of those employees sometimes like you got to be I think you're believing what I just said seriously and it's like it didn't let me unit I'm like I don't like dude obviously I was a bad guy it's like so we need it what do we need to do though we need to educate empower and enforce our our work force our employees and the best way to educate to them is to stop this one simple phrase stupid users stupid users clicked on an email stupid users went to a website that weren't supposed to go you know what if I'm in the security department stupid me for not educating my employees properly on how to handle those kind of threats okay and another thing is if I can hire an employee and on the first day they don't even have a driver's license and on the first day of work I tell them here's the keys to my Bentley go do some deliveries and they break and they crash that car who's the idiot the one that started driving and the one that gave them the keys we're giving them technology they don't know how to use they need to start being educated properly on how to use it then when they screw up we can say it but not until then we need to educate our employees and let them understand where they're going to do we also need to empower our employees and by empowering them I don't mean starting a union okay so don't get all upset with me you know management types okay we need to let them know one simple fact they are part of the security team from the CEO to the mailroom you are part of the security team it is part of your job in your duties to make sure you're protecting the company data and they need to know that and they need to enjoy that they need to understand you as information security has the has access to the biggest intrusion detection system known to man all those employees on the frontline they're saying oh that looked weird that should have happened let me call somebody that's what you need to start doing you need to start empowering them you need to start letting them know that it's required I've got a guy who sends me 15 freakin emails ok a week on a phishing scam or some kind of other thing that he thought was weird and he wants you wanted to make sure I knew about it you know what I say every single time awesome thank you very much I appreciate it because that 16th one is not going to be a false positive it's gonna be something we need to respond to I'd rather get a thousand false positives from people that are actually thinking about it because if they're sending it to me that means they're thinking about security we do walkthroughs in our facility during our day job and we look under keyboards for passwords I mean at first we actually started finding him okay that was bad it's like but then we started not finding it but we still do it you know why because every time you do that everybody in that area is going oh they're checking for something we got to make sure creating that security awareness without shoving it down their throat that's how you do it that's how you do and then you enforce it okay not with a baseball bat oh gosh that would be fun but no it's like not with a baseball bat but with positive enforcement when someone stops me when I don't have a visible badge and says what are you doing what are you doing there I report them to their supervisor and I say awesome job that person did what they're supposed to do that person is protecting our data we've got it where we put a list of stuff you know and our bulletins and stuff you know an employee bulletin saying people that got kudos for security they did the right thing they did it the right way and you know what that breeds competition because that freaking Susie and accounting she's always getting the credit for doing that stuff well I can do it too you know I can stop someone that I don't think they have a proper badge that's how you enforce it it doesn't have to be negative you've got a workforce you've got a human idea system out there just waiting to be used start using them okay so as when as you as soon as you stop saying stupid user and start saying my co-workers in the Information Security Department we're going to start winning so here's some links and there you go