DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)

This is my talk. I want you to understand. I have to start with this slide because I'm gonna say things that might sound a little, you know, bad, mean spiteful, mean hateful. You know all those other adjectives. I'm adorable, okay, I'm a wonderful, fluffy person and stuff. You know who does not like doing bad things unless people pay me. I would never try to kill you unless you pay me to try it. Okay, I promise so. So when I tell you those really harmful, terrible things I'm going to be talking about, let's just remember the kittens. Okay, toddle my talk, steal everything, kill everyone. Calls to the financial ruin or how I walked into misbehaved.

Quite simply, it's because of the security fails. It's like I'm going to explain to you that the physical security and stuff you know is one of our biggest weaknesses, because people can understand two-dimensional versus three-dimensional when they're walking up to the front door. Jason E Street- I've have lots of letters behind my name. I promise let's start off with Who I am. I've got a day job at a night job. My day job is: I'm the a VP of information security at financial institution. My boss is going to love this. On Monday, what I do is I work in a cubicle with a lot of cool action figures around it. I monitor firewalls, I watch IDs systems, I build out our infrastructure, I find more creative ways to secure it and to go after people who are coming after us and I do all the day-to-day blue team stuff.

I'm my main job is blue team, is defense- ok on the. My night job is the CIO- CIO strategy one solutions, where I do pen testing, maybe like three times a year stuff. You know it's like basically I do speaking engagements like this around the world. It's like I've written a book dissecting the hack and I also do some other writing and that's what I do at night. So I respond to incidents during the day. I create incidents for other people at night. So best of both worlds. I love these pictures because you see the first picture with the baseball cap, that was me standing outside for an hour in front of the industrial park building secured facility on a Sunday with no traffic and the security walks by twice and did not think to stop me and asked me: what the are you doing on the sidewalk just watching our building? And he didn't put in his report either, so bad on him. The second picture, you know, looking dapper in the glasses is actually going to apply for a job. Yes, I'm wearing a black cat collared shirt because I like to come with warning labels and and I did not get the job, unfortunately. I was way under overqualified for that one. I did get their data, so you know, win-win. These are my two favorite pictures of engages I've been on the. The one I'm wearing the I'm a liability shirt, I think is the best one, because I stole a car. In that shirt I was at a hotel off the coast and the valet gave me the collar and I had explained.

It was like I can't get in this car right now and he's like why? Says well, because I'm stealing it. It's like they paid me to do an assessment. I'm a liability and, yeah, it took him a while to figure that out. So finally, I had to say you might want to take this back. I think the owner is going to want it. The second: the. The next one is my favorite, one of the most secured facilities I've ever seen in my life. Right across the street from Ground Zero: SWAT teams, you know, with k9 units with their machine guns walking through the concourse. Eight security guards in the main elevator lobbying stuff, not including the business lobby. That's me in the upper floors wearing an actual valid badge and a shirt that says your company's computer guy. I like that. I like that picture a lot. Then we'll get more to that story in a little bit. So I do have a CISSP. I think the Code of Ethics say that I have to put a son zoo quote my talks. There it is. We're the intro halfway through. So far, so good. We're going to talk about the one fact that we have to face when we're dealing with this subject. We're talk about the two rules- did I go by when I'm doing an engagement?

And the three outcomes from those two rules, hopefully a good conclusion discussion. Let's face it, you're going to the award ceremony right after this, but still we can, we can hope why this talk- I gave a talk last year on the 36 charge- was talking about the beginning of social engineering. It was talking about things that you could do to try to get into the buildings. That was the part one and, quite frankly, I got some feedback afterwards going psych man, Jason, that's some basic concept stuff. You know it's like you weren't showing any kind of NLP, or because I can't- I am NOT a professional social engineering expert.

I don't know about NLP, I don't know the psychology, facial-recognition, mind ninja techniques. I still get in. I have a hundred percent success rate of getting in to facilities when I'm doing a social engineering engagement. So it's not that I'm not great, trust me. Anybody will tell you that it's our securities that week. So these are educational and hopefully in a funny way, kind of talk just to give you an onset of where to go look for more stuff and then hopefully have a good chuckle while you're doing it. Okay, you're not going to learn anything new, but hopefully you'll remember something that will make you go look at something else and you'll be better for it. So this is part two, because now I'm not talking about the social engineering part so much as this is all the damage I'm going to do after your security guy. Let me through the front door because- number one fact: I'm getting in. Okay, this is the. I took this picture, I kid you not, I'm going to meet the guy for the first part of our meeting and as soon as I opened up, got into the concourse and I saw the the door, the employee door for the secured area. I was like, oh, you got to be joking me. I walked right over, pushed one, three, five guess. What I in is just I would have tried 5, 3, 1 or 3 1, 5.

You know I would try it, but looks the other rubbed off is. I mean is like she didn't look at the guy's face when I showed up 10 minutes before our meeting and no one knew I was there. So that was fun. Here's another one. I went to go to apply for another job and when I'm on these engagements I like to be bad. So when I signed in to the receptionist I stole the pin. So I'm a bad guy was what we do. So as I go, as soon as I finish getting the pin and signing in, I ask to go where the bathroom is. It's not because I drink so much frickin Diet Pepsi, it's just because I get lost very easily and I will wander buildings looking for that darn bathroom for hours, can't believe where the things I can get into.

Well, I'm going through and I actually happened to stumble into the secured area, part of the employee area, while I was looking for the bathroom and I found the employee entrance and this is like the security guy at this facility actually bragged about their million-dollar security system. And I looked at the door and I saw this little rod thing. I'm Steph, you know, that was the what was latching the door with. And I said, like only if I had a condom or something, you know the, protect that little rod and keep the door from Keith, the door closing and then making it latch. And then I remembered a wait, I got a pin. So I took the pin that I stole, put the cap on the rod, the door shut perfectly, and it didn't latch. So I leave. It's like I come back in about 20 minutes or so. It's still there. I'm now in the secured facility. No one knows. So that was fun. I am NOT a- actually we're right here. Okay, so I'm not a master locksmith. I tell people I don't have to be a master locksmith. Okay, if your people will let me through the front door. Okay, I don't have to be a massive ninja coder, which I'm not. It's like if I can just steal the hard drive with all your data. Here are some of my master lock picking skills in action. I'm terrible with the lock dicks, but I'm awesome with cardboard.

We're back G open, okay. So here's another key. I love forging emails and putting them on iPad. The key is to put them on iPad. If you forge an email and print it out, they're gonna look at you: fake. Oh, this is you. Just you just type this up.

You put it on an iPad. The blue hyperlink stay a hyperlink and also, it's like it's on an iPad, it's magically. You must be telling the truth. It's like so. It's like so. They're going to go and say: you know, okay, he's like so I was up in that secured facility in New York. The network guy, Otis tan unusual amount of traffic coming from the CFO's assistance computer and it's going to their main server and was burning.

What was going on? It was me. And so he comes over and he asks: it's like, what's going on, what are you doing? And I start telling him exactly why I'm there. I spent two hours on Google creating this email, making it sound like the owner. The new owner of this company was upset and sent an email to the other company that he owns to send one of his guys out and to go and look at the network. And I made it sound very political. I made it sound like there was urgency and that they were supposed to be surprised. So no one was new. I supposed to be there, so I showed this to the, the networking guy. Well, he sent me to his office. We went to his office and we talked to the CIO for about 10 minutes and the employee then started to escort me around to all the other computer desk and stuff you know. So I could plug in my mouth where and I had an employee escort, so I had to be ok. So it's like I actually can finish the rest of the engagement and stuff you know, having someone help me and make sure the people knew I was okay to be there and plugging in my USB devices and doing whatever else I needed to do. So I really love that email. I've got two rules, but guess what? Looking for PCI is not one of them. I don't care about your hippo or hippo. I don't care about sarbanes-oxley. I don't care about your ISOs and Lester got Linux on them. I don't really care. I just want to f you up. I just want to mess you up in the worst possible way. I want to be the worst thing to ever happen to you at the worst possible time. Okay, remember the kittens. So this is where I got my my two rules. I got them from serenity, which was based off the series Firefly, which Fox canceled. Many die in the fire. And the two quotes are very simple: I aim to misbehave and let's go be bad guys. That's it. I'm just trying to do bad.

To team it up. It's like you know, red team. It's like: don't act surprised when we try to kick you below the belt. It's like bank managers are still being kidnapped today, taken to their home, their family, held hostage overnight until they go open up the bank for bank robbers. That's not funny, that's real. This stuff still happens. Another thing is: this is one of these things that we people talk about. This is not a new concept. What we're doing this is from 1992, the movie sneakers. It's like. So people hire you to break into their places, to make sure no one can break into their places. It's a living. Well, this one's old now because it's not a very good one. It's gotten pretty good now. Business is pretty good with this, but this is a concept that's not new.

It's something that we still have to keep revisiting. Stuff you know better people than me talk about it a little bit more technically and stuff you know. Like I said, I'm the comedy relief on this, but let's keep going. So another thing we have to understand is: management is not proactive, they are reactive. So the Dana Irwin said in 2008: the best way to get management excited about a disaster plan is to burn down the building across the street. Hello, everyone, like to introduce myself?

I'm the fire. So what we're gonna get to now is we're going to get to the fun part, and the fun part is talking about all the different ways we can start those fires. Okay, I love this one. This is. This is what I call the trifecta of bad, because, yes, I stole the phone or cloned it. Yes, I've got the laptop- 30 laptops unsecured in this facility. They had no laptop lock cables because they were secure. By the time I did the exit interview, I started seeing laptops lock cables, which was good for them.

Also, the Bosch, because you know my arms may get tired, I might need to take, make trips, so it's like. So I had me an employee badge. I appreciated that. Okay, I am. I do feel bad about this one because I am a CSP, have a code of ethics, so please, no one report me. Let's make this off-the-record. I'm sure no one's watching. Not about the laptop, because I have no problem stealing the laptop. I mean, the guy left the cable on it for him. He was just giving it to me and I'm not talking about the screwdriver because I need to steal something. Maybe you know that was bolted down because you know I like to be thorough. I was a little hungry and I stole one of the cookies.

I'm sorry. Okay, let's go on. I love this because you know people expect security not to be that thorough. So they get their laptop lock cable or told to fasten it to the desk. But that's hard, you have to bend down. So let's just lift that cable over the the desk and no one's going to pull it. And you know what, most security doesn't: pull the cable to see if it's actually secured. But I'm not security, I'm a thief.

I'm going to pull the cable, I'm going to try to steal it all. So kudos for this guy because he had it firmly attached to the the desk. He had it, he had it locked his laptop. But I'm telling you, when it's the coach, zero, zero, zero, zero. I'm going to try that one, I'm going to try one, one, one, I'm going to try nine, nine, nine, I'm going. If you're a geek, I'm going to try zero, zero, zero, seven. So sorry about that one also. They like to move the one there's like the last number or the the top number. They'll move one in either direction and that's it. That way they can just go get unlocked, pink unlocked.

I'm going to try those also when I'm in engagement. I'm going through all your drawers. Wait, hello, they didn't sound right. I'm going to go through all your desk and your cabinets, okay, and I'm going to be looking for stuff, because nice, honest and pull coworkers are not going to go looking through your desk. I'm not a nice, honest and coworker. This guy had his laptop locked, totally correct, everything was right, and then he put the keys in his top drawer. So now, denial, today I steal his laptop. But now I have a nice, really shiny laptop, cable and stuff.

You know I can protect from someone stealing it because I hate when they steal my stuff. That I stole Laurie's. Why this picture was in here is because I stole the iPod, because that's like totally freakin retro. How awesome was that. This is another trifecta. It's like I stole the purse, stole the car keys and, yes, I saw the phone. Let the record state I did not steal the lunch, okay, I felt really proud about that, but but now let's hold on, let's, let's cut it for a second. I took the car keys, took the driver's license out of her purse. I didn't go to the parking lot to find out what car it is.

I unlocked the car. I'd go back and put her car keys back. She comes back after work. I'm in the backseat with a gun, telling her that I've got her driver's license showing with I know where she lives, that I've got people there that will kill her family if she does not go back into that facility. Still all their data that I need and then come right back out and that we're tracing and we've got our phone cloned and we can monitor it. Employees need to know that their personal belongings are theirs, but the impact can be severe for them as well as the company. That's why they need to secure their stuff. Now. Let's remember the kittens. Real quick, okay, when you have this mini frowny faces on a slide, you're just f'd.

Okay, it's just game over. You literally gave me a blank check to steal your, your credit and your identity and, trust me, my credit sucks, so I'm taking it. You know, thanks for leaving the Social Security card there because it's got your signature on it. So I know exactly how the forgit it's like. That was very helpful. Not many people are that kind. So, oh, when I stole the first car, the guy sort of cheated and let some people know that I was going around and doing stuff like that. So I said we'll screw you. At two o'clock in the morning I walked in, grabbed three mercedes-benz and a Beemer and just took them with me less than 66 seconds. So Nicolas Cage beats that. The look on the guy's face when the manager security was faced when I walked to them and I dropped him those four keys was priceless. I wish I could've included the picture, but it's on my desktop at my home. So so some counter measures. Employees need to know that this stuff matters for them as well. Make sure they're locking their desk, securing the property. They secure their property at home. They secure their property after in their car.

They need to secure their property at work. Now also, no, no tailgating. You've got to make sure that they understand that they shouldn't tailgate. It's like they shouldn't because you know what I'm doing. I'm coming in the wheelchair and I got like four books. It's like: oh man, Jason, you're a douchebag and I'm like: yes, I'm a bad guy, I'm trying to steal from you. Do you really think I care that you're gonna feel a lesser about me because I'm not supposed to be in a wheelchair.

No, I'm evil, it's like. So what I'm going to do is I can trust me when I go up to that door and I got these books. You're really going to the [ __ ]. Who's not gonna let me in the door? I mean seriously, no, you're going to let me in and I thank you for that. Your employees not going to, your employer's not going to, but I will. Also, if you see some, see something, say something. You don't have to personally tackle the guy. If you think he's suspicious, okay, you do have to call security. You need to start empowering the employees to understand they are part of your security team and they need to start acting like it.

So yeah, here's the real warm and fuzzy side. We're asking to talk about how you know to kill everyone, because that always brings up a crowd on a Sunday night. This is a taking pictures at 2:30 in the morning. I'm in a hotel sub where different hotels in the car and I'm inside a mechanical room. I'm wearing Pepsi pajama bottoms, over some cargo pants with some really bad things, and a white t-shirt, and I'm barefoot, because I took all my clothes off in the bathroom and the guest area of the hotel and changed into that and then started walking around and see what I could do. I could do a lot, because you notice one important fact in this picture: there are no padlocks on any of the switches. I will tell you this right now. I've got some OCD like you wouldn't believe. Okay, if that switch is on, I'm turning it off. If that switch is off, I'm turning it on and it by golly. If there's a red button, I'm pushing it twice. Okay, that's just how I roll. Okay, now I want you to understand I'm not a total jerk. Okay, it's like because, yes, I'm going to start a fire in this room and yes, it's going to have some poisonous chemicals in it, so the smoke will go through the ventilation system. That's right there. But I'm not totally terrible because I mean it's 2:30 in the morning.

Who wants to get woken up at 2:30 in the morning? Listen to this being ringing, alarm sound going off. So I'll silence the alarm system for you, because it's like I mean I to be rude. The only thing worse did having that alarm going off in your ears and stuff. You know someone throwing cold water on your face when you're trying to sleep. I'll turn the sprinkler off system off for you - okay, it's like I don't anybody to get all you know wet and drenched and stuff. You know there's a fire going on. That'd be dangerous. Oh wait, hyeah, maybe not okay. So another place that I like to I think it's great to kill people is the kitchen. It's like this guy didn't even ask who I was there, but you know most people don't.

So just to bring that home, here's a nice little video. Is there any law enforcement from the Lygia in here? Okay, this was good. This was a video that I took in Malaysia in a Malaysian hotel. I was wearing this shirt and I'm in Malaysia. I don't blend well. So let's see what happens. Here we go. I didn't edit this video because I want you to think you know shenanigans like you made yourself look or something like that. But now say you'll get to see me doing exactly everything that I did, including right here where I should have turned the other way. But I turn this way, but I didn't know what. The building, why. So let's walk down this quarter first. Yay, I'm walking as fast as I can, and if I wanted to steal some tables there, I go.

I was like, wow, that was a letdown. I'm sure I'm oppressing people that are in the audience right now. So I decided to keep going. I'm a hacker. We don't give up the first try right. So now, if you get motion sickness or seasickness, take Dramamine or look away for a second. Okay, because this gets me, wasn't joking. So I come up against this door here and I'm thinking, oops, there we go. So I come up against this door and I'm thinking, oh, this is all. So the reason is because it's secured and it's got stuff in there that you want protected. So you put a padlock on it. But then you don't padlock it. So one thank you for that. What could you be protecting? I don't know. Let's see here. Oh, I did not go in there with an Uzi or an ak-47, I did not bring c4 with me.

I just walked out of that closet with napalm, I just walked out with poison. So let's see what I can do. Well, first I got to find a place to do that. That's going to be a long search, you know, looking for the proper place to deploy this kind of stuff. Let me turn around and oh, I'm in the kitchen. That was quick, so let's walk through here. Everybody say hello to this guy. He didn't say hello to me, jerk, I'm- if it was a little bit later at night I'd be, you know, tampering with. Right there's the refrigerator for the food supply. I would destroy your food supply, even if you detected it was poison. It would be useless. You'd have to destroy all of it. That's me. That's important. Right there here I'm going into another room. I could have gone to some of these other doors. I wasn't really trying, especially since I didn't have permission. I mean, I'm in, since they didn't know at first. It's like they said okay, first, afterwards. Here's the mechanical areas. This is where I start my mechanical fires using the napalm. You notice those two guys there. So I have to use social engineering countermeasures- let's listen- my countermeasures. Hey, how's it going? It was going okay and I kept moving. So here we go through the rest of it.

That's just me showing you more places that I would spread the napalm. I like Seng napalm. One of the other things: you notice that they protect guest information really well. You know, in the computer systems, you know you can't go to the front desk to ask where someone's staying, but obviously you can walk into the kitchen because every person, their room number and their name- is right there for room service.

So that's pretty low-tech. Now I'm going through this and I'm thinking to yourself like you're saying, Jason, all you're just walking around in freakin place, what's that? Well, basically, first of all, dude, I told you I was showing you the physical stuff, not social engineering. But since you asked, let's go try to do some social engineering, because let's see what happens if someone notices me. So I'm going to go talk to the head chef in the manager of the hotel. So I asked what he's using- Wi-Fi or cable. I got an iPad and I've got my hacker shirt. I was like, using Wi-Fi, I'm questioning on the stuff you know, and he's saying he's incapable of tangle it up. I love the way they smiled. Like the guy in the back window was just like. You know, photobombing means Savino going. What's going on with that guy, it's like. And I just left. That was it. So that's how easy it can be. And it's like- and we talked about social here- it's just easy as just saying how's it going and stuff. You know and talking to someone, people don't expect bad things to happen until they happen. So some of the countermeasures- one of the key ones that I could not stress enough- is: create a codeword.

Make sure people understand that. First of all, make your employees understand this stuff happens. Workplace violence happens. I mean, for gosh sakes- I got this information off of workplace violence newscom. It happens too often. They've got a website for it. For gosh sakes, that's depressing, okay. So you've got to understand that that happens. So set up a code. I tell people you got you, especially with receptionist code- oh my God, he's got a gun run panic, we're all going to die- is not the best code. Okay, it is effective, it does you know raising, but it may not be the best.

I always tell them to suggest something like a code periwinkle, mister periwinkle to HR, mr periwinkle to HR, and I'm hoping that someday someone Institute's an actual code periwinkle, because I think that's just funny saying periwinkle. Another one is: conduct routine safety checks, not just safety checks of your equipment but of your people as well. I, when I walked around for an hour, I noticed one thing at that facility, there was this one door that I could easily, Jimmy. And it had a camera that was right over it, but I couldn't tell by the angle, because where the other two cameras were spaced, if I walked diagonally from the other parking area, they wouldn't see me, except for that one camera, and if that camera was angled at the right way I could totally bypass it.

So I talked to the former head of security there and I told us: like dude, it's like, this is what, walking in, and he's like whatever, like, come with me, he takes me into this office, the Security office- it was empty- showed me the computer screens, the TV monitor screens- they were all turned off. He turns them on. The one camera that was not working was that one. I looked him dead in the eye and I said: no serious, it's like.

Oh, I guess I wasn't the only one that had that idea. You may want to check your inventory. I did mention he was the former head of security at that facility. Ok, good, ok, so let's talk about, you know, financial ruin, this, what about the espionage? And- and I hate to break some people's feelings and stuff- you hurt some people's feelings and just say it's not just the Chinese, ok, 70s, the 80s, 90s, it's like the French were doing awesome with it. So sorry too, you know, didn't. So actually, I'm complimenting my French friends because they did a great counter espionage thing with the CIA and stuff back in the 90s at the Boeing incident. You can google that one. See, I wish you wouldn't. So that was fun. So let's talk about some of things you can do there. Once again, this mini frowny face is not good, because you know what I'm an environmentalist I am. Do you know how many poor, senseless trees die every day due to those printouts that you leave beside the printer? Well, you know what. They will not die in vain. When I visit, I'm taking all of them. I'm going to liberate those trees, I'm going to liberate all. And you know what I'm such an environmentalist. I will take the ones that are still printing out just to make sure you don't forget them. Those trees will not die in vain when I'm there. It's like you know. Another like- and this is so sad, this is actually a Dilbert comic strip- is that they still use thread bins to put all your- you're telling me all your- confidential data, all the stuff that needs to be shredded, let's put in a big blue bucket. This is all the confidential. And this is done in DC and this is done in financial institutions. This is done in, like DoD contractors offices with. My favorite is the DoD contractors office, the. It's a secured area. The office, the office, the actual office of the executives. They're actually secured, blocked, where security cleaning crew can't go in because of all the top-secret data. So what do they do at night? They put the blue bucket outside their door.

Yes, that's awesome, I mean. I mean, I'm sorry, it's awesome for the bad guys. Oh, dude, yeah, when I get to the point where I could just stick malware into your hard drive, it's just gonna be a fun night for me, not for you. That really. Yeah, DEFCON, get with it. One thing we're going off your workstation is when you see that USB Drive in your exchange server. It's not going to end well for you. Okay, I know where that USB drives been. You don't want it in your exchange server, okay, and I mean, and you're thinking it's like what kind of damage is something you can do going after our exchange server?

Ask HBGary. But we can go and say, well then, how about your accounting server, being the 25 other employees that are also me there are now getting paychecks from you say, well, it's okay, it's not going to be too bad, or I could just do a wire sniff. This was like for my part, one talk, you know, just do a wash to define your traffic. Sniffing passwords are hard. You got to configure all the stuff. Linux. You got the bar, like I said. I'm not that technical, I'm not that, you know, bright, it's like a well, not just get them off your monitor. Okay, I love this one. I actually tried bracket leave, blank bracket first. I gave them the benefit of the doubt, okay, and yes, it was just hit enter.

This is my favorite of all time. You know why? Because this was at a pharmaceutical, bio, whatever research lab, but stuff. You know where I'm supposed to be done with rocket scientists. Write the password first of all. They shouldn't have written it down at all, but the password was that scratched out was actually an alphanumeric special character password. It was very complex and it was hard, so they scratched it out and put it to welcome. So and it was all lowercase. I tried the capital first because you know their rocket scientist. The one thing worse than seeing me in Pepsi pajamas, you know, ask mercurial- is actually seeing me in this suit, because if I'm in this suit I am out to screw you over. Terribly okay because I'm wearing my best to do. I call it the Vesta doom because I think it sounds good when I'm reliving my childhood.

If you want to know more about the Vesta doom and all these little toys, it's in my part one talk that I did last year and it's like what those are. But now I want you to know I've got a vested hoon 2.0. Let's see some of those things. Okay, I've got some video recorder USB pins right here, not on my, keeping one in my pocket. I'm going to actually be going in and leaving them in your little cup holders that you leave so I can record you logging in your passwords, carrying on your conversations, things like that. So that's awesome if I'm the tech guy. I got my nice little handy 8 gig USB flashlight video recorder that I'm still your data off of and, as you remember the little bouncy, drem Amin, that was because it was taking on my 4 gig audio video recorder. Watch, when I walk into your facility I'm a walking, talking Google Street car. Ok, I'm capturing everything I can. Now I got another device: institute: my 2.0 vest. This was something that was given to me by a three-letter agency in DC. I'm not the only reason why he gave me this, this device and stuff you know, which cost billions of dollars. Research, he said, was that I was to never talk about it in public. So this device he gave me is actually a USB keystroke logger.

It's undetected by any antivirus you can plug it in. It's very streamlined, its undetectable stuff, you know, it's very hard to spot when you actually plug it into the vise and it records all the keystrokes you write. I'm lying, I got it off the ThinkGeek, ThinkGeek. I like to put this for you know, for the Q SAS if for your, for your executives. You know that you want to talk about this slide students have you know, until when you get back and tell them about these things, let them put it in a different way that they understand a little bit better the risk matrix available at a geek and gadget website. Well, we've discovered, that's a near certainty. Okay, being able to log the CEOs keystrokes. Yeah, I'm going to go with catastrophic on that one. Now you see all these other devices. You see all these pins. You know these devices. Those were required. It's, like you know, from a very I mean you have to be a select group of people, okay, to be able to get access to that kind of technology. I mean, I think everybody is familiar with that kind of that kind of access.

I think everybody here has that access. It's called frequent fliers. I mean you talk about hackers doing this kind of data. Okay, I'm an accountant. I really hate my boss. I really hate my job. I want to go somewhere. I want to steal a whole bunch of stuff from the company. First, how could I do that? Oh, I'm on this flight. Oh, look, SkyMall. Oh, I can put key log stroke, keystroke logging and spyware on his, my boss's, computer. Oh, I can, you know, have a USB recorder and stuff you know pin and take video of our company secrets. And, yes, I can actually have a voice recorder so I can record our top secret confidential conference meetings. This is not hard. That is one of the biggest things you hear. I see these talks and it's like these guys are like the rockstars and like they're two super elite and stuff, you know, and they deserve all the credit, all this stuff. But I'm telling you, it's not just that, I'm the reverse of that, I'm the guy saying it's so easy, even I can do it okay. It is like it's just the general stuff. People are so busy protecting their stuff from these very high-level attacks they're forgetting Oh, SQL, I oops, sorry, Sony, you know it's like it. Sometimes it's a low-hanging fruit. It really is the low-hanging fruit they're going to go after. So you've got to be protecting that as well. You got to be protecting from these kind of threats as well. This is one I love, this one. I took these pictures. This is a the pony plug from Pony Express. I took these pictures at a bank branch off on the on the west coast and I did four branches, four attempts for successes.

After the fourth one, they told me to stop. The reason why is because I walked in. I was wearing a blue DEF CON shirt, work shirt. I come with warning labels and I told it's like I'm here to check. We have been having brownouts at the corporate office and we need to check to make sure that the power fluctuations aren't affecting your operations here. So I'm going to need to do is on you, plug this device into your here, plug into the network so you can take the readings and report back to the home office exactly what's going on. And, by the way, I need to go in and check your make sure all the computers have proper power surges and UPS units working. They used a face, false name, that I had no ID or dint ofin for. I used a fake company and a fake phone number. I signed into their vendor log. If I would have come in there with a ski mask and a shotgun, every single person would reacted exactly the right way they've been trained to handle that.

They were not able to. They did not expect the geek factor and they walked me through the teller area, the drive-through area and through the back rooms where the actual money is not too shiny little vault thing but the big saves with the actual money in it. What kind of damage could I have done? But I did do was I plugged in my pony device, this one with the power unit and stuff. You can see the power UPC on the right. I like that one the best because I had to get the bank manager to get out of her seat so I could plug it into behind her desk. And what I do right after that it's like I can. I don't have to go to my car, I don't have to phone home, I go to the bank lobby and I've got backtrack 5 on the Xoom tablet and it's- I've got it already connected to the Pony Express. I'm pulling you before I even get out your door, ok. So what are some of the countermeasures? There's only one major countermeasures- people, ok, and that, quite frankly, is just going to be stop printing. What happen to this paperless office, for gosh sakes? It's like, make sure you're doing proper DLP, making sure you're talking aboutwe. There was a recent report about how some of these data leakages are mostly coming from insider and threats from the actual employees themselves, so make sure you're watching. You're doing dual diligence, making sure that not everything is being shared open. So now, what can we do?

Like I said, I'm the blue team. I like it when we win. I love. I am, I kid you not, I am rooting so hard for the good guys when I go on an engagement, okay, I mean, I look at some of those employees sometimes, like you've got to be. I think you're believing what I just said, seriously, and it's like it didn't let me unit. I'm like, I don't like dude, obviously I was a bad guy. It's like. So we need it. What do we need to do, though? We need to educate, empower and enforce our work force, our employees, and way to educate them is to stop this one simple phrase: stupid users. Stupid users clicked on an email. Stupid users went to a website that weren't supposed to go. You know what? If I'm in the security department, stupid me for not educating my employees properly on how to handle those kind of threats. Okay, and another thing is: if I hire an employee and on the first day they don't even have a driver's license, and on the first day of work I tell them: here's the keys to my Bentley, go do some deliveries and they break and they crash that car. Who's the idiot? The one that started driving and the one that gave them the keys? We're giving them technology they don't know how to use. They need to start being educated properly on how to use it. Then when they screw up, we can say it, but not until then. We need to educate our employees and let them understand where they're going to do. We also need to empower our employees, and by empowering them I don't mean starting a union, okay, so don't get all upset with me. You know management types? Okay. We need to let them know one simple fact: they are part of the security team, from the CEO to the mailroom. You are part of the security team. It is part of your job, in your duties, to make sure you're protecting the company data, and they need to know that and they need to enjoy that. They need to understand you as information security has. The has access to the biggest intrusion detection system known to man. All those employees on the front line. They're saying, oh, that looks weird, that should have happened.

Let me call somebody. That's what you need to start doing. You need to start empowering them. You need to start letting them know that it's required. I've got a guy who sends me 15 freakin emails- okay, a week- on a phishing scam or some kind of other thing that he thought was weird and he wants, you wanted to make sure I knew about it. You know what I say every single time: awesome, thank you very much. I appreciate it because that 16th one is not going to be a false positive. It's going to be something we need to respond to. I'd rather get a thousand false positives from people that are actually thinking about it, because if they're sending it to me, that means they're thinking about security.

We do walkthroughs in our facility during our day job and we look under keyboards for passwords. I mean, at first we actually started finding- okay, that was bad, it's like. But then we started not finding it. But we still do it. You know why? Because every time you do that, everybody in that area is going: oh, they're checking for something. We got to make sure, creating that security awareness without shoving it down their throat. That's how you do it, that's how you, and then you enforce it. Okay, not with a baseball bat, oh gosh, that would be fun. But no, it's like, not with a baseball bat, but with positive enforcement. When someone stops me, when I don't have a visible badge, and says: what are you doing? What are you doing there, I report them to their supervisor and I say: awesome job, that person did what they're supposed to do. That person is protecting our data. We've got it where we put a list and stuff. You know, and our bulletins and stuff. You know- an employee bulletin saying people that got kudos for security. They did the right thing, they did it the right way. And you know what that breeds: competition. Because that freaking susiana counting- she's always getting the credit for doing that stuff. Well, I can do it too, you know. I can stop someone that I don't think they have a proper badge. That's how you enforce it. It doesn't have to be negative. You've got to work force. You've got a human iPS system out there just waiting to be used. Start using them, okay, so as when, as you, as soon as you stop saying stupid user and start saying my co-workers in the Information Security Department, we're going to start winning. So here are some links and there you go. You.