WEBVTT

00:00:02.767 --> 00:00:07.440
JACK: [MUSIC] When I was young, I used to like sneaking around places that I shouldn’t have been

00:00:07.440 --> 00:00:14.640
in. I liked getting in the back-of-house areas in performing theatres or casinos. This one time

00:00:14.640 --> 00:00:19.740
I went to explore a mall where I lived and I found a huge back hallway, a corridor that connected all

00:00:19.740 --> 00:00:24.540
the back of the stores together. It was such a big back hallway that a truck could drive through it.

00:00:24.540 --> 00:00:29.100
It was fun to explore and it was a major shortcut across the mall so I ducked down this corridor

00:00:29.100 --> 00:00:34.260
from time to time. Every time I went down this back hallway, I saw signs hanging up everywhere

00:00:34.260 --> 00:00:42.780
that said JDLR. I used to stop and read these and try to figure out what it meant. JDLR? Just Don’t

00:00:42.780 --> 00:00:50.400
Litter Raisins? Junior Dining Living Room? What does JDLR mean? One day my friend got a job at

00:00:50.400 --> 00:00:56.400
the mall so I asked her. Hey, what’s JDLR? She tells me it means Just Doesn’t Look Right.

00:00:56.400 --> 00:01:01.920
Just Doesn’t Look Right? What does that mean, I asked? She said it’s a reminder to look out

00:01:01.920 --> 00:01:06.000
for anything out of the ordinary in the mall and report it to security.

00:01:06.000 --> 00:01:12.060
JDLR was a security awareness campaign that the mall cops put up to report suspicious people

00:01:12.060 --> 00:01:18.540
like me sneaking through back hallways. But really, I wondered how effective this

00:01:18.540 --> 00:01:24.600
campaign was. Suppose you were told to report something that was just JDLR. Would you notice

00:01:24.600 --> 00:01:29.580
when someone came into your office or store who didn’t belong? Would you then care enough

00:01:29.580 --> 00:01:34.560
or be brave enough to do something about it? How quickly could you even find the number to

00:01:34.560 --> 00:01:41.280
security? This is a story about a guy who got caught sneaking into a building because he just

00:01:41.280 --> 00:01:47.880
didn’t look right. JDLR. JACK (INTRO): [INTRO MUSIC]

00:01:47.880 --> 00:01:54.600
These are true stories from the dark side of the internet.

00:01:54.600 --> 00:02:13.440
I’m Jack Rhysider. This is Darknet Diaries. [INTRO

00:02:13.440 --> 00:02:14.340
MUSIC ENDS] JACK: Let’s start out

00:02:14.340 --> 00:02:17.520
with what do you want to be called, or what’s your name? What do you do?

00:02:17.520 --> 00:02:21.360
KYLE: My name is Kyle. Right now, I’m on the Red Team at McKesson.

00:02:21.360 --> 00:02:27.120
JACK: Ah yes, another Red Team story. The Red Team is the offensive team in a simulated attack. In

00:02:27.120 --> 00:02:31.620
this case, Kyle’s day job or sometimes night job, is to physically break into buildings to

00:02:31.620 --> 00:02:36.540
test their security like a sophisticated criminal might do. Oh, and I should give a warning here.

00:02:36.540 --> 00:02:41.100
Kyle drops a few swear words while telling us this story so if you don’t like swear words, you might

00:02:41.100 --> 00:02:46.980
want to skip this one. This mission was to get access into a utilities company and I won’t even

00:02:46.980 --> 00:02:52.320
say what kind of utility company this was. KYLE: They were a very large conglomerate

00:02:52.320 --> 00:02:55.200
made up of a lot of companies. JACK: When you’re dealing with the utilities,

00:02:55.200 --> 00:03:00.960
whether it’s electricity, gas, or water, it’s extremely important that these networks are secure

00:03:00.960 --> 00:03:07.440
because something going wrong here can result in a massive disaster. These services are such

00:03:07.440 --> 00:03:12.150
an integral part of our lives. In fact, I’ve even heard stories that the national guard sometimes

00:03:12.150 --> 00:03:17.220
will do penetration tests on utility companies to help keep them safe from attacks. Now, there

00:03:17.220 --> 00:03:22.680
were only two people in the company who knew about this physical penetration test and it was the head

00:03:22.680 --> 00:03:28.200
of IT security and the head of physical security which is the boss of the security guards.

00:03:28.200 --> 00:03:34.560
KYLE: The point was to gain access to headquarters by way of anything we could do

00:03:34.560 --> 00:03:38.146
at any of the previous sites and then [00:05:00] leading up to going to headquarters.

00:03:38.146 --> 00:03:42.180
JACK: [MUSIC] Okay, let’s underline the objective here; basically, it’s to get access into the

00:03:42.180 --> 00:03:48.540
headquarters of this utility company. Then once there, get network-level access and then see how

00:03:48.540 --> 00:03:52.800
far you can get into the network once doing that. For instance, if Kyle could break into

00:03:52.800 --> 00:03:58.500
headquarters and get onto the network there and get to network admin, that would be pretty ideal

00:03:58.500 --> 00:04:03.720
for him. But in this objective, he’s allowed to also test the security of other locations which

00:04:03.720 --> 00:04:09.540
might help him gain access to headquarters. That’s interesting. Immediately I’m thinking about what I

00:04:09.540 --> 00:04:15.120
might do to get into headquarters. Maybe I would need an employee badge to get in, some passwords,

00:04:15.120 --> 00:04:20.280
or somehow, I hacked the network to let me in. Maybe a smaller, less secure location

00:04:20.280 --> 00:04:26.160
would allow me to get some of this stuff. Kyle starts profiling some of their other locations

00:04:26.160 --> 00:04:30.960
online to try to find an easy target. KYLE: I get on my browser and I just go to

00:04:30.960 --> 00:04:35.820
Facebook; I go to LinkedIn; I go to Twitter. I look at the company pages; I find employees. I go

00:04:35.820 --> 00:04:41.040
to their individual pages and between all of that you start to amass obviously a lot of very useful

00:04:41.040 --> 00:04:45.960
information about the surrounding areas, the general temperament of the people who work there,

00:04:45.960 --> 00:04:50.880
you get a feel for how the company likes to present itself, how many events they have,

00:04:50.880 --> 00:04:57.000
where you can blend in at. You get the obvious things that everyone goes for; badge, images,

00:04:57.000 --> 00:05:01.920
camera angles, things like that that you can see from Google Street View.

00:05:01.920 --> 00:05:08.400
When we were looking around in the social media, we started to notice that the companies that they

00:05:08.400 --> 00:05:15.420
owned in the Midwest had a lot more outdoors-type events like cookouts, BBQs, fun runs, march for

00:05:15.420 --> 00:05:23.220
the cures, whatever. All that stuff. Whereas some of the bigger cities, their acquisitions there

00:05:23.220 --> 00:05:28.740
didn’t have so many outdoors events, right. JACK: Kyle decides to target locations in the

00:05:28.740 --> 00:05:34.020
Midwest part of the United States. KYLE: First I decided that well, okay, yeah,

00:05:34.020 --> 00:05:37.980
we’re going to do Midwest but there’s a couple of sites out there. Which one do we want to hit?

00:05:37.980 --> 00:05:47.040
There was one site specifically that was on four blocks within an industrial area. We’re talking a

00:05:47.040 --> 00:05:51.720
huge amount of space to cover. Obviously, there’s a lot of supplies laying around in one big lot, a

00:05:51.720 --> 00:05:56.400
lot of vehicles parked in another. You’ve got your corporate building on this lot and then you’ve got

00:05:56.400 --> 00:06:01.320
your little warehouse buildings over here. Well more often than not, your target area is gonna

00:06:01.320 --> 00:06:07.080
seem like it should be the corporate building but it rarely ever is important that you go there.

00:06:07.080 --> 00:06:13.020
That small little garage where all the shop workers are who don’t really care so much about

00:06:13.020 --> 00:06:18.240
making sure that that door wasn’t left jammed open, or that that truck was locked; that’s

00:06:18.240 --> 00:06:22.860
where you want to start because that’s where you get your easy privilege escalation. Before

00:06:22.860 --> 00:06:27.180
we flew out there and marked that building, told everyone that’s where we’re gonna meet up.

00:06:27.180 --> 00:06:31.620
JACK: As Kyle starts making his way out to the Midwest, he now starts focusing on trying to

00:06:31.620 --> 00:06:36.420
figure out who works in that building. By using LinkedIn and Facebook, he starts to get a list

00:06:36.420 --> 00:06:41.820
of people; drivers, managers, technicians, and by having this list of names and roles, it can help

00:06:41.820 --> 00:06:46.860
him out if he needs to drop a name or try to lie his way into the building. He also looks on Google

00:06:46.860 --> 00:06:52.920
Maps to try to get as much information as he can about this building. What’s next door? What kind

00:06:52.920 --> 00:06:58.500
of fencing do they have around it? Where are the doors to get in and out? We take Google Maps for

00:06:58.500 --> 00:07:03.360
granted now but twenty-five years ago we really didn’t have access to satellite photos of every

00:07:03.360 --> 00:07:08.640
place on earth. We definitely didn’t have street view photos. To get access to stuff like this,

00:07:08.640 --> 00:07:14.040
you had to be like a government spy but now everyone has this capability to freely access

00:07:14.040 --> 00:07:19.740
satellite imagery of pretty much anywhere on the planet. It’s kind of crazy. Okay, so Kyle

00:07:19.740 --> 00:07:24.480
and his co-workers fly out to this place. They rent a car, they get a hotel room, and they wait

00:07:24.480 --> 00:07:30.180
for nightfall, [MUSIC] thinking they’ll be a lot less people at night. Maybe nobody. They should

00:07:30.180 --> 00:07:35.760
be able to sneak in somehow unchallenged. KYLE: Typically, you want to dress for the part,

00:07:35.760 --> 00:07:43.320
so we were dressed in darker clothes. I had a black beanie on. I’m a very pasty boy so I

00:07:43.320 --> 00:07:49.020
stand out pretty hard when there’s a little bit of light. I had a black button-down shirt. It

00:07:49.020 --> 00:07:53.820
wasn’t super crazy; tattoos hidden. Beanie can just be swept off with short hair that

00:07:53.820 --> 00:07:59.340
I had just freshly cut for the gig. I’m on the level as far as playing the part goes.

00:07:59.340 --> 00:08:02.460
JACK: They get in their rental car and park next door to the facility.

00:08:02.460 --> 00:08:06.300
KYLE: It was a weird house-turned-business in this weird industrial area and it had a

00:08:06.300 --> 00:08:11.160
car port. We just slid in under there. It was a rental car. It wasn’t anything super

00:08:11.160 --> 00:08:15.300
flashy. It was like a Kia something. JACK: They knew the building had a chain link

00:08:15.300 --> 00:08:19.560
fence around it and started walking around the outside of the fence looking for a way

00:08:19.560 --> 00:08:23.460
through. That’s when they spotted a part of the fence that they might be

00:08:23.460 --> 00:08:27.180
able to get under, so they tried. KYLE: Rolled up underneath the chain link

00:08:27.180 --> 00:08:31.320
fence and we just kind of hung out in between some trucks for a minute

00:08:31.320 --> 00:08:36.600
and got our bearings on the situation. JACK: From here they can look around [00:10:00] to

00:08:36.600 --> 00:08:40.080
understand the facility better. There were a lot of trucks at this building,

00:08:40.080 --> 00:08:47.040
company trucks, like trucks for workers to use to visit customers to fix or install lines. A

00:08:47.040 --> 00:08:51.600
whole fleet of trucks were parked there for the night. Kyle and his co-workers kept looking

00:08:51.600 --> 00:08:58.560
around for any people, cameras, guards, lights, alarms, but it was quiet.

00:08:58.560 --> 00:09:03.120
KYLE: We didn’t see any guards. There’s not really a whole lot of camera coverage. We saw

00:09:03.120 --> 00:09:08.820
one camera on the back of the warehouse building we were gonna go for. It was fairly well-lit

00:09:08.820 --> 00:09:12.000
so that was kind of problematic. JACK: They mapped a path to the building,

00:09:12.000 --> 00:09:16.920
finding a way to hide in the shadows and get close to the door of the building. They had

00:09:16.920 --> 00:09:22.200
to take a long way around to avoid any cameras or lights but eventually they reached the door

00:09:22.200 --> 00:09:27.600
of the building. It’s like a typical warehouse building; there are loading bays and truck docks

00:09:27.600 --> 00:09:32.160
and that kind of thing. But also, there’s a regular door for people to walk in and

00:09:32.160 --> 00:09:36.711
out of. It’s late at night and they’ve been watching the area and nobody is around.

00:09:36.711 --> 00:09:40.380
KYLE: We take a little bit of time, come around, we get to the warehouse

00:09:40.380 --> 00:09:47.700
building and suddenly we go to pull on the door and voila, it’s just open, man.

00:09:47.700 --> 00:09:55.080
There’s no trick to it. It had an HID reader. There was supposed to be a locking mechanism but

00:09:55.080 --> 00:09:59.340
apparently it wasn’t functioning. We never really found out what happened there but that was a huge

00:09:59.340 --> 00:10:02.520
stroke of luck right off the bat. JACK: Okay, so as we hear Kyle’s story,

00:10:02.520 --> 00:10:06.780
I’m going to point out a few things that I think this company should do to fix these problems.

00:10:06.780 --> 00:10:11.520
In this case it was way too easy to get on the lot, and there should have been better cameras,

00:10:11.520 --> 00:10:16.200
and maybe a guard watching over the fleet of trucks, and of course they should absolutely

00:10:16.200 --> 00:10:21.000
be locking the door to this place at night. Really, the door was completely unlocked into

00:10:21.000 --> 00:10:26.280
a warehouse of a utility company? But this is why the company hired Kyle; to check these kind

00:10:26.280 --> 00:10:30.600
of things. This is why Kyle picked this building, thinking it might be easier for him to get into

00:10:30.600 --> 00:10:35.700
versus maybe the corporate offices. KYLE: We walk through the door. [MUSIC] We’re

00:10:35.700 --> 00:10:39.540
just in a shop. It doesn’t seem like much but we do see there’s some shop computers

00:10:39.540 --> 00:10:44.580
so we know we’ve got network access there. Then there’s smaller buildings or structures

00:10:44.580 --> 00:10:48.360
that they build within these massive warehouses. They’re like a little office

00:10:48.360 --> 00:10:54.240
building within a warehouse on a lot. JACK: Kyle thinks that might be a manager’s

00:10:54.240 --> 00:10:59.040
office or something. It might have extra documents or extra network access so he

00:10:59.040 --> 00:11:03.600
heads over to that door. KYLE: There was a box of nails or

00:11:03.600 --> 00:11:09.960
screws jammed into the doorway into that office area. Again, thank you very much.

00:11:09.960 --> 00:11:17.160
Open the door right up, and in we go. JACK: Okay, next tip; if you have an office

00:11:17.160 --> 00:11:22.800
that has any kind of sensitive documents in it, lock it up at night. Kyle and his co-workers

00:11:22.800 --> 00:11:28.020
are now taking cover in this office. It’s a good place to hide out and look around. They can hear

00:11:28.020 --> 00:11:32.340
if someone’s opening the door to the warehouse or if someone’s coming and they can keep watch

00:11:32.340 --> 00:11:39.060
from here. Kyle takes his backpack off and pulls out a dropbox. A dropbox is just a computer but

00:11:39.060 --> 00:11:43.200
it’s like a small, portable, self-contained computer and you can plug it into the network

00:11:43.200 --> 00:11:48.960
and leave it behind if you have to. KYLE: It was a cell phone with a full battery and

00:11:48.960 --> 00:11:55.440
mobile hotspot enabled, attached to a Raspberry Pi attached to a wireless card connected to that

00:11:55.440 --> 00:12:02.340
mobile hotspot, connected to a battery pack all duct-taped together, plugged into the network.

00:12:02.340 --> 00:12:09.000
We bypassed the firewall. There’s no traversing out. You plug in, it’s out. Hacky as shit, dumbest

00:12:09.000 --> 00:12:13.140
thing I’ve ever done by far, technically speaking, but it did the job really, really well.

00:12:13.140 --> 00:12:18.180
JACK: Kyle plugged it into the network in this little office and texted the co-worker who’s on

00:12:18.180 --> 00:12:22.920
the other side of the country who’s been waiting for this moment. The other person is a penetration

00:12:22.920 --> 00:12:27.420
tester and he checks the connection. The way this particular dropbox works is like this;

00:12:27.420 --> 00:12:32.340
this is a Raspberry Pi and it’s like a tiny little Linux computer. It’s about the size of

00:12:32.340 --> 00:12:37.680
a pack of cards. It has two network connections; one is the cell phone that it’s connected to and

00:12:37.680 --> 00:12:42.420
the other is the network in this office. When it’s plugged in, it turns on the cell signal and tries

00:12:42.420 --> 00:12:47.160
to connect back to that pen tester on the other side of the country. This basically gives him

00:12:47.160 --> 00:12:52.020
access to this computer as if he’s sitting right there in the office with these two. But now that

00:12:52.020 --> 00:12:56.460
Kyle has plugged this thing into the network, he tells the pen tester it’s in, and the pen

00:12:56.460 --> 00:13:00.240
tester now quickly gets busy trying to figure out his way in and around this network.

00:13:00.240 --> 00:13:04.260
He’s checking to see what kind of traffic he sees, what kind of VLAN he’s on,

00:13:04.260 --> 00:13:09.120
what servers they’re talking to, and he goes from there. He gets busy trying to find anything

00:13:09.120 --> 00:13:15.000
he can in this network. Man, this is such a effective technique. I just want to underline

00:13:15.000 --> 00:13:21.600
this a little bit. You walk in the building, you stick this computer in their network, basically,

00:13:21.600 --> 00:13:28.260
that allows your other Red Teamer to connect into it which just basically gives them access into the

00:13:28.260 --> 00:13:32.880
network. Then from there, they’re aggressively – I mean, they’re probably a very skilled person

00:13:32.880 --> 00:13:39.780
who knows how to heat-sync straight [00:15:00] to the goods of this place. They’re aggressively

00:13:39.780 --> 00:13:44.160
trying to get things as you’re also in the building at the same time. Within minutes

00:13:44.160 --> 00:13:48.360
they’re probably already very successful. KYLE: Yeah, more often than not, honestly,

00:13:48.360 --> 00:13:53.700
I’ll be going through filing cabinets, throwing a few million dollars of competitive intel in

00:13:53.700 --> 00:13:58.200
my backpack, and I’ll get a text message; yo, got DA. I just put it down five minutes ago,

00:13:58.200 --> 00:14:01.020
right? That’s absolutely correct. JACK: Got the A?

00:14:01.020 --> 00:14:05.460
KYLE: DA. Domain admin. JACK: Oh. Domain admin. Within a few

00:14:05.460 --> 00:14:09.600
minutes of walking into this building, the team has full administrator abilities in this network.

00:14:09.600 --> 00:14:15.480
They can now see any files on any drives in this location and they can read e-mails for anyone who

00:14:15.480 --> 00:14:21.180
works in that building. They pretty much have access to anything in this network. Amazing. I

00:14:21.180 --> 00:14:25.800
should point out that even though I don’t know how he got DA, domain admin, there are probably

00:14:25.800 --> 00:14:30.540
a few security holes in this network that need to be patched. But besides that, this company might

00:14:30.540 --> 00:14:36.060
want to enable .1x or Knack or some kind of way that would prevent a computer to just plug into

00:14:36.060 --> 00:14:42.120
the network and be right on the network. What .1x or Knack will do is require the computer to

00:14:42.120 --> 00:14:46.860
authenticate before getting access to the network. That would prevent someone like Kyle to just walk

00:14:46.860 --> 00:14:50.940
in and plug their own computer in it. See, the goal with security isn’t to make

00:14:50.940 --> 00:14:57.360
everything perfectly secure but it should exhaust the attacker’s resources. Imagine if every port

00:14:57.360 --> 00:15:02.700
was locked down in this warehouse. Kyle would have to go around trying every port he saw to

00:15:02.700 --> 00:15:07.620
see if that one was open and would allow him on the network. This might have taken him a long

00:15:07.620 --> 00:15:13.140
time for it to happen and maybe during that time a guard would come by or another employee would come

00:15:13.140 --> 00:15:18.180
by and they would catch these hackers in the act. Sometimes you just need to slow down the hackers

00:15:18.180 --> 00:15:24.540
as best you can. But in this case, nothing was slowing them down at all. [MUSIC] I’m wondering

00:15:24.540 --> 00:15:29.340
how hard your heart is thumping at this point. Are you seriously looking over your shoulder a

00:15:29.340 --> 00:15:32.700
lot? Are you super nervous? KYLE: Not me, man.

00:15:32.700 --> 00:15:37.680
I don’t think my friend was either which is why he did a lot of physicals with me. I honestly

00:15:37.680 --> 00:15:43.140
have never really been a nervous person. It takes a lot to get me going. I just see it

00:15:43.140 --> 00:15:48.180
as I’m there to do a job and it’s gonna get done so I already know that. What’s to worry?

00:15:48.180 --> 00:15:54.120
JACK: Kyle keeps snooping around the office and grabs all kinds of documents and files and

00:15:54.120 --> 00:15:57.780
shoving all this into his backpack. KYLE: Yeah, yeah. We got some competitive

00:15:57.780 --> 00:16:01.380
intel which was something they were concerned about and it’s not just for

00:16:01.380 --> 00:16:08.580
competitive purposes. It can also be for more malicious or national security related.

00:16:08.580 --> 00:16:13.140
JACK: How do you know where to look? You’re actually like opening filing cabinets, looking

00:16:13.140 --> 00:16:19.800
for anything that would be of value, right? KYLE: Yeah. If there’s not filing cabinets,

00:16:19.800 --> 00:16:23.160
more often than not, I think you would be surprised to find that there’s a lot of

00:16:23.160 --> 00:16:27.000
really good information just rolled up sitting in boxes right in front of you when you walk through

00:16:27.000 --> 00:16:33.480
the right door. It’s really, a lot of times, just a bunch of plans when you go into these sort of

00:16:33.480 --> 00:16:38.580
companies that you’re really after. At least me, ‘cause I look at it like I can take a lot

00:16:38.580 --> 00:16:43.920
of this data and sell it to your competitors. I could take this data and I could sell it to

00:16:43.920 --> 00:16:49.260
enemies of the state. I could take this data and I could use it to leverage it for attacks against

00:16:49.260 --> 00:16:55.440
all of these other buildings or all of these other locations. Whether it’s gas, electricity,

00:16:55.440 --> 00:17:05.460
anything like that, if there’s diagrams and data to be had, I want it. I want it bad. [MUSIC]

00:17:05.460 --> 00:17:11.820
We did also take some reflective gear with company branding. We took some company cell phones that we

00:17:11.820 --> 00:17:19.080
saw in bags that were obviously stored, not in use actively. We grabbed a couple of things like that,

00:17:19.080 --> 00:17:24.060
some lanyards. This is the sort of stuff you do when you do these multi-facility things,

00:17:24.060 --> 00:17:29.820
is you snowball the gear, is what I like to call it. You snowball the loot and by the time

00:17:29.820 --> 00:17:34.080
you get to the most important target, there’s no way you can fail. You have everything you

00:17:34.080 --> 00:17:37.980
could possibly need for any situation. JACK: They even went back and grabbed their

00:17:37.980 --> 00:17:42.000
dropbox because at this point, they had so much access and lots of documents that they might as

00:17:42.000 --> 00:17:45.960
well take it with them to the next location and go with a running start next time. This

00:17:45.960 --> 00:17:49.620
looks like a job well-done. They got everything they came for and it’s time to bug out.

00:17:49.620 --> 00:17:52.740
KYLE: It was successful. We decided to bug out. We took the hardware with us.

00:17:52.740 --> 00:17:57.060
JACK: Kyle takes a look at the objectives that the client wanted him to do. Get physical access

00:17:57.060 --> 00:18:02.520
into the building; check. Get network access; check. Get domain administrator access; check.

00:18:02.520 --> 00:18:09.120
Get competitive intel; check. Find any spare keys to doors or trucks that you can take; check.

00:18:09.120 --> 00:18:13.740
But there was one more thing on the list. KYLE: They wanted us to steal as many trucks as

00:18:13.740 --> 00:18:20.220
we could off the lot. We took like, a lot of F-350s filled with tools and had trailers on

00:18:20.220 --> 00:18:26.880
them with back hoes, and Bobcats, and all kinds of shit, dude. We were instructed to park them down

00:18:26.880 --> 00:18:31.200
the street in a big parking lot and then just leave the keys somewhere inside of the building

00:18:31.200 --> 00:18:36.300
so that once they found the keys, they could go get the trucks. But they wanted to see what

00:18:36.300 --> 00:18:41.880
the [00:20:00] employees would do if they came in the next day and all their vehicles were gone.

00:18:41.880 --> 00:18:46.560
Unfortunately, I’m not capable of driving a semi or we would have made out with a lot more.

00:18:46.560 --> 00:18:49.800
JACK: How many did you move? KYLE: I think twelve or thirteen,

00:18:49.800 --> 00:18:54.300
man. We took a lot of trucks and they were all full of shit. All

00:18:54.300 --> 00:18:56.820
of them. JACK: [MUSIC]

00:18:56.820 --> 00:19:02.340
Do I even have to explain the mistakes made here? First, lock up the keys to the fleet of your

00:19:02.340 --> 00:19:06.360
trucks and don’t leave whatever key you locked it up with just lying around for someone to find.

00:19:06.360 --> 00:19:13.140
Second, there are no guards or anyone watching the cameras at this place. At least someone should

00:19:13.140 --> 00:19:17.220
be monitoring the gates when they’re opening and closing and look at the camera to see what’s going

00:19:17.220 --> 00:19:22.620
on, right? Kyle and his co-worker had a successful night and they acquired a lot of stuff but they

00:19:22.620 --> 00:19:26.820
weren’t really feeling ready to go to headquarters yet. They wanted to hit up a few more locations

00:19:26.820 --> 00:19:32.580
to what Kyle says, snowball the gear. They wanted more stuff and more access before taking on a big

00:19:32.580 --> 00:19:36.540
building. The next day they called the head of security to give them a report on how it

00:19:36.540 --> 00:19:41.520
went that day. Security was shocked but wanted to see if they could take it a step further,

00:19:41.520 --> 00:19:46.740
like really teach that location a lesson. KYLE: They had us go back the next day in broad

00:19:46.740 --> 00:19:51.360
daylight, get into a truck ‘cause we had uniforms right, so no one’s gonna stop us.

00:19:51.360 --> 00:19:55.320
We had the key because we had stolen it from the building. They wanted us to go in broad daylight,

00:19:55.320 --> 00:20:00.720
put the key in the ignition, start the truck, and try and drive off the lot. That worked.

00:20:00.720 --> 00:20:03.480
Then I called them. I was like, what do you want me to do now? I’m just sitting in front of your

00:20:03.480 --> 00:20:07.500
building in one of your trucks, fully dressed up and no one’s really doing anything even

00:20:07.500 --> 00:20:13.260
though we just stole all your shit last night. What do you want me to do now? Well, fuck it.

00:20:13.260 --> 00:20:18.900
Just drive it to the headquarters. I drove it all the way to that particular company’s headquarters

00:20:18.900 --> 00:20:25.260
which was about an hour away and then I parked it in the parking lot and I was instructed to

00:20:25.260 --> 00:20:29.400
leave the keys inside. They were gonna tell the security guard there to go check it out.

00:20:29.400 --> 00:20:37.500
I don’t know what the plan was there but I did my part. Then I got picked up and that was that.

00:20:37.500 --> 00:20:41.700
The next objective is to do a similar thing at a different location but this

00:20:41.700 --> 00:20:44.580
would be the headquarters of one of their larger acquisitions.

00:20:44.580 --> 00:20:49.320
JACK: This building is in a totally different city and state. They do a lot of passive reconnaissance

00:20:49.320 --> 00:20:53.820
like looking on social media to see if anyone posted pictures of what the badges look like

00:20:53.820 --> 00:20:58.560
so that they could maybe make a duplicate. They also look at what Google Maps has to offer.

00:20:58.560 --> 00:21:04.200
KYLE: This location was kind of more in a downtown-type area.

00:21:04.200 --> 00:21:14.040
This wasn’t the same as the previous. This was in a more business region than the other. I would

00:21:14.040 --> 00:21:20.880
say that equally dead at night, though. This was no exception in terms of the Midwest lifestyle.

00:21:20.880 --> 00:21:26.220
It was downtown but once 9:00 hit, there was nobody on the streets. We checked it out during

00:21:26.220 --> 00:21:31.080
the day; we wanted to see what the foot traffic was like and it actually was surprisingly high for

00:21:31.080 --> 00:21:40.200
such a small area, being that it was downtown. We decided that we would try to walk around inside,

00:21:40.200 --> 00:21:44.760
see if security questioned us. No one said anything. We made it to the elevators,

00:21:44.760 --> 00:21:51.600
saw that there were badges and just kept walking along. We left the building, went out, saw there

00:21:51.600 --> 00:21:56.580
was a massive parking garage that was attached to the building and kind of wrapped around. We

00:21:56.580 --> 00:22:02.400
figured that could mean there are external doors into the parking garage from if not our client’s

00:22:02.400 --> 00:22:08.640
offices, someone else’s offices which will be good enough. We wait until night because

00:22:08.640 --> 00:22:15.660
that’s just I guess what we liked to do. JACK: [MUSIC] This building isn’t a warehouse.

00:22:15.660 --> 00:22:20.580
It’s a seven-story office building and this utility company only occupies one

00:22:20.580 --> 00:22:22.800
floor of the building. KYLE: This office building

00:22:22.800 --> 00:22:26.160
essentially took up an entire city block including the parking garage.

00:22:26.160 --> 00:22:29.580
JACK: Okay, so this isn’t the headquarters of the company. It’s the headquarters of a

00:22:29.580 --> 00:22:36.300
company they acquired. It was a big place. KYLE: We wait until nighttime. We parked just down

00:22:36.300 --> 00:22:40.500
the street. There seemed to be a couple of homeless guys. They kind of wandered up and

00:22:40.500 --> 00:22:46.920
down the street regularly in this spot so we wore ratty clothes, messed up our hair a little bit,

00:22:46.920 --> 00:22:50.940
I threw a dress shirt in my backpack, for example, and threw on a t-shirt that I ripped

00:22:50.940 --> 00:22:58.680
a hole in. We just walked down the street in these clothes and the security guards would

00:22:58.680 --> 00:23:03.780
walk around inside the building and look at the street periodically and see these people walking

00:23:03.780 --> 00:23:12.660
about. As soon as we noticed, he turns around, he walks away. We dart into the parking garage

00:23:12.660 --> 00:23:18.240
and meanwhile there’s a homeless guy screaming at us as we’re doing it. I’m pretty sure that

00:23:18.240 --> 00:23:22.500
he started to come after us but the security guard came outside and started yelling at him

00:23:22.500 --> 00:23:27.180
and he stopped. We didn’t go back to double check but we’re pretty sure that’s what happened and we

00:23:27.180 --> 00:23:34.260
were trying not to crack up. We started walking up the ramp into the parking garage. We saw the

00:23:34.260 --> 00:23:40.080
stairwell doors and [00:25:00] we thought well, might only get us to the roof but

00:23:40.080 --> 00:23:44.820
it might also let us into an office. JACK: Sometimes big buildings like this in

00:23:44.820 --> 00:23:50.460
downtown with parking garages have a stairwell that leads you right into the building. Kyle

00:23:50.460 --> 00:23:54.780
and his co-worker go into the stairwell and take a look. Once they get in the stairwell,

00:23:54.780 --> 00:23:58.920
they see another door that’s attached to the office building, like an emergency

00:23:58.920 --> 00:24:02.640
exit to come out of the office. KYLE: We start walking up and down the

00:24:02.640 --> 00:24:06.780
stairs. We’re like well, there’s not exactly a fucking company directory on the wall inside the

00:24:06.780 --> 00:24:10.800
stairwell, is there? We really don’t know which floor is which and we don’t know which floor

00:24:10.800 --> 00:24:14.580
we’re on. Let’s just start guessing. JACK: They find that in the stairwell are

00:24:14.580 --> 00:24:18.360
two doors on each level; one leads to the parking garage and the other leads into the

00:24:18.360 --> 00:24:23.700
office building. They try pulling on the office building door, but it’s locked. They go up a

00:24:23.700 --> 00:24:30.060
flight and pull on that door but it’s locked. They go up another flight; locked. They go up

00:24:30.060 --> 00:24:37.080
another flight and try the door. This one opens. It’s just totally unlocked and leads them right

00:24:37.080 --> 00:24:39.360
into the office building. KYLE: We’ve got an open door.

00:24:39.360 --> 00:24:45.840
Cool. We walk out, we see a hallway. JACK: The hallway is like a common area. It’s not

00:24:45.840 --> 00:24:49.980
any particular office. It’s like the same hallway you’d be in if you just took an elevator up to

00:24:49.980 --> 00:24:55.620
that floor. As they walked down the hallway, they see doors to different offices. There were a lot

00:24:55.620 --> 00:24:59.340
of different companies in this building. KYLE: We see a couple of doors. We see some HID

00:24:59.340 --> 00:25:03.240
badge readers on these doors. We don’t know who they belong to ‘cause they’re

00:25:03.240 --> 00:25:08.340
not marked. We decide not to fuck with them just yet and we decided to walk over to the

00:25:08.340 --> 00:25:13.080
elevator. We get into the elevator. We see the badge reader. We think shit,

00:25:13.080 --> 00:25:16.800
we can only go down to the lobby. JACK: So far, so good. They’re in the building,

00:25:16.800 --> 00:25:20.820
bypassing the security guards who were there to make sure nobody got into the building late

00:25:20.820 --> 00:25:25.020
at night like this, but the badge reader on the elevator means that in order to get to

00:25:25.020 --> 00:25:30.240
certain floors they need to scan the RFID badge to get to those floors. But still,

00:25:30.240 --> 00:25:35.220
they have no idea what floor their client is on. They didn’t do enough passive reconnaissance

00:25:35.220 --> 00:25:40.980
and there’s no directory anywhere; not in this elevator, nothing. They’re both standing in the

00:25:40.980 --> 00:25:47.520
elevator trying to figure out what to do. KYLE: [MUSIC] We had one option. Press one,

00:25:47.520 --> 00:25:52.740
go to Lobby, walk out, look like idiots. That’s our option one. Not gonna do that.

00:25:52.740 --> 00:25:57.060
The other option is to sit there and wait for someone to call an elevator to a floor.

00:25:57.060 --> 00:26:03.060
Could be a security guard so we gotta be ready to look normal like this was a coincidence.

00:26:03.060 --> 00:26:06.180
But it could also be someone just manning the phones at night or some shit. That’s

00:26:06.180 --> 00:26:09.840
the safer option and while we’re doing that, might as well throw option three in there

00:26:09.840 --> 00:26:14.280
and brute force the fucking buttons. JACK: One by one they start pushing floors in

00:26:14.280 --> 00:26:19.680
the elevator. They pushed the button for the top floor. The elevator didn’t move. Rats, they need

00:26:19.680 --> 00:26:24.720
the badge to get there. They pushed the button to the next floor. The elevator didn’t move,

00:26:24.720 --> 00:26:30.120
either. The number didn’t even light up. They tried another floor; nothing.

00:26:30.120 --> 00:26:34.920
Then they tried the next floor and boom, all of a sudden, the elevator started moving.

00:26:34.920 --> 00:26:39.720
KYLE: We didn’t know though. We didn’t know why. We just knew that it was moving. Was it ‘cause

00:26:39.720 --> 00:26:43.080
we pressed a button? Did someone call it? Are we going down to the lobby ‘cause we tried too

00:26:43.080 --> 00:26:49.500
many times? There was a moment of confusion and we just looked at each other like uh?

00:26:49.500 --> 00:26:53.400
But then the doors open and we see the company logo and we see the desk and we

00:26:53.400 --> 00:26:56.880
see the doors. We’re like ba-bing! JACK: When the doors opened, they saw the

00:26:56.880 --> 00:27:01.860
company logo for the place they were trying to break into. The one floor that didn’t require

00:27:01.860 --> 00:27:08.640
a badge to access was the exact floor they needed to get on. What another stroke of luck.

00:27:08.640 --> 00:27:12.660
As you come out of the elevator there’s a reception desk and then two closed doors after

00:27:12.660 --> 00:27:16.860
that which leads into the office. KYLE: We checked the doors. Oh darn,

00:27:16.860 --> 00:27:21.600
they’re locked. We look over at the receptionist desk; a couple of drawers,

00:27:21.600 --> 00:27:26.760
there’s a lock box on top of the desk. How much you wanna bet that they key for that lock box

00:27:26.760 --> 00:27:31.860
is underneath your keyboard or in one of those drawers? That was a correct guess. [MUSIC] We

00:27:31.860 --> 00:27:38.640
found the key to the lock box inside of the first drawer that we checked and inside of the lock box

00:27:38.640 --> 00:27:43.620
were guest badges, guest badges that were not deactivated when they were not in use.

00:27:43.620 --> 00:27:48.120
JACK: After rooting around the reception’s desk, they found badges that let them in the door.

00:27:48.120 --> 00:27:53.700
This kind of reminds me of many video games I’ve played, but there’s another tip; don’t leave the

00:27:53.700 --> 00:27:59.040
keys under your keyboard or in drawers in areas like this because now the team is in.

00:27:59.040 --> 00:28:03.000
KYLE: Rinse, lather, repeat, essentially, from the previous site. Once we were inside,

00:28:03.000 --> 00:28:08.460
the objective was to find as much information openly accessible as possible,

00:28:08.460 --> 00:28:12.180
see if you could get on the network. JACK: A good place to always lay low for

00:28:12.180 --> 00:28:15.840
a while is the bathroom. The two head into the bathroom, change their clothes,

00:28:15.840 --> 00:28:19.320
and sort out their plan. KYLE: I was in the bathroom with

00:28:19.320 --> 00:28:24.060
my colleague. We were trying to figure out where we were gonna put the dropbox and we said well,

00:28:24.060 --> 00:28:27.900
we didn’t get into the server room at the last site. Let’s see if we can get into the server

00:28:27.900 --> 00:28:32.640
room at this site. It’s gotta be on this floor. This is their only floor so we know it’s here.

00:28:32.640 --> 00:28:38.640
There’s at least an IDF, something. [00:30:00] We’re walking out of the bathroom and as soon

00:28:38.640 --> 00:28:44.280
as we walk out of the bathroom door, there’s the security guard and he jumps and we jump

00:28:44.280 --> 00:28:50.760
and we all go aah! I go holy shit, you scared me, man. He goes you scared me. Are you guys

00:28:50.760 --> 00:28:55.440
okay? Are you guys working late? We’re like yeah, man. Jesus, you gotta let people know

00:28:55.440 --> 00:29:00.420
when you’re coming, you gotta put a bell on you or something. We all laugh, we part ways.

00:29:00.420 --> 00:29:06.600
JACK: Security ran into them but because they dressed like they belonged and were already in

00:29:06.600 --> 00:29:11.100
the office, the guard didn’t question them. This is a bit odd. The guard failed here.

00:29:11.100 --> 00:29:15.540
He should have stopped them and asked them more questions but instead, he just walked off.

00:29:15.540 --> 00:29:19.740
KYLE: Then we continue walking around the building as I said earlier, collecting stuff,

00:29:19.740 --> 00:29:25.020
taking pictures, flipping keyboards, and then we walked by a door. We hear humming. You know

00:29:25.020 --> 00:29:28.260
the humming. JACK: [WHIRRING]

00:29:28.260 --> 00:29:34.260
Something on the other side of the door was making a loud whirring sound. There was no windows in

00:29:34.260 --> 00:29:38.880
this room so the team couldn’t tell exactly what was in there. But when you work in IT long enough,

00:29:38.880 --> 00:29:45.480
this whirring sound is something that you will instantly recognize as the fans of a server rack.

00:29:45.480 --> 00:29:49.500
The team had scoured the whole floor at this point and didn’t find the server rack anywhere,

00:29:49.500 --> 00:29:54.480
either. They knew for sure that this had to be the room with all the computers but the door to

00:29:54.480 --> 00:30:00.300
it is guaranteed to be locked. With no windows, how do you get in? They look up and see there’s

00:30:00.300 --> 00:30:05.460
a drop ceiling. This is the typical office-type ceilings that have panels that can be pushed up

00:30:05.460 --> 00:30:10.020
and there’s a space above the panels. KYLE: There’s a broom in the janitor’s closet

00:30:10.020 --> 00:30:17.160
just down the hall. We grab that. We poke it up into the ceiling and we see that there is

00:30:17.160 --> 00:30:28.080
no wall extending over. Easy enough. I just held out my hands and said boost up, bro. Up he went,

00:30:28.080 --> 00:30:32.940
no question. Then he slid the other tile out of the way, dropped down on the other side,

00:30:32.940 --> 00:30:40.200
and all I hear is I’m good! He plugs it in, and finds a way back over, slides the

00:30:40.200 --> 00:30:45.660
tile back into place, and that was that. JACK: Okay, where’s the security failure here?

00:30:45.660 --> 00:30:51.000
This is a server room of the headquarters of a utility company that got acquired by this larger

00:30:51.000 --> 00:30:57.780
utility company. The server room of a place like this should be treated as a very secure room. It

00:30:57.780 --> 00:31:01.860
should have a security camera monitoring the outside of the door, the inside of the door,

00:31:01.860 --> 00:31:06.240
inside the server room, too, and definitely a very securely locked door that probably

00:31:06.240 --> 00:31:10.920
should be logged when it’s opened or closed. Maybe even some pressure-sensitive plates to

00:31:10.920 --> 00:31:15.420
know if something heavy has come in or out of the room. When constructing the server room like this,

00:31:15.420 --> 00:31:20.040
you should extend the walls up into the drop ceiling to stop people from just going through

00:31:20.040 --> 00:31:24.840
the ceiling to get in. I’ve heard this done many times before and a few two-by-fours

00:31:24.840 --> 00:31:29.160
and some plywood would certainly slow these people down. Especially if you have guards

00:31:29.160 --> 00:31:33.720
wandering around the floors, if they heard sawing and hammering going in the ceiling,

00:31:33.720 --> 00:31:37.800
they’d probably come check it out. KYLE: Yeah, there was a moment of giggling there,

00:31:37.800 --> 00:31:41.460
too. Like, there’s no way that there’s just not a wall, right.

00:31:41.460 --> 00:31:47.040
But that’s the thing with these multi-tenant facilities, is a lot of times you don’t have

00:31:47.040 --> 00:31:52.080
the leeway clearance pull, whatever it is you need to get shit done in that building because you’re

00:31:52.080 --> 00:31:57.120
too new there or the other tenants don’t like your company, whatever political reasons there

00:31:57.120 --> 00:32:03.720
could be. But a lot of times you are barred from being able to make those kinds of very important

00:32:03.720 --> 00:32:07.440
changes to the structure of the building. JACK: They didn’t want to come out through the

00:32:07.440 --> 00:32:12.180
server room door because that might trigger some kind of log or event. They left the drop

00:32:12.180 --> 00:32:16.740
box in there, came out through the ceiling, putting everything back. They get their pen

00:32:16.740 --> 00:32:20.580
tester to then get into the device and start attacking the network from that

00:32:20.580 --> 00:32:26.040
dropbox which is in the server rack. KYLE: We also went around and tried to see

00:32:26.040 --> 00:32:30.180
what other sorts of findings we could generate from this site for the client,

00:32:30.180 --> 00:32:35.040
things like are the shred bins unlocked? ‘Cause that’s a fairly common mistake.

00:32:35.040 --> 00:32:39.600
The data that needs to be gotten rid of is supposed to be locked up and a lot of times

00:32:39.600 --> 00:32:42.780
it’s either so full you can just grab the shit out with a picker or you can

00:32:42.780 --> 00:32:46.200
use your hands, or it’s just unlocked. JACK: They got everything they needed from this

00:32:46.200 --> 00:32:50.220
location and they’re ready to leave. They knew that if they just went down the elevator through

00:32:50.220 --> 00:32:55.920
the front doors past security, that might raise some suspicion. They came up with a plan.

00:32:55.920 --> 00:33:01.440
KYLE: We decided we didn’t really have much of a choice. We had to get all dressed up in stuff that

00:33:01.440 --> 00:33:08.640
we found around the office; hard hats, reflective gear, we got a bunch of those big cardboard

00:33:08.640 --> 00:33:14.700
roll-up storage things so that we could put a bunch of stolen goods in there, we had files, we

00:33:14.700 --> 00:33:20.100
had a couple of Toughbooks that we wanted to take with us to a SCADA site, we had some truck keys,

00:33:20.100 --> 00:33:25.380
we had about everything you could need to be an employee of this company. We decided to just walk

00:33:25.380 --> 00:33:31.440
out the front door in front of the guards. JACK: [MUSIC] When they walked past the guards,

00:33:31.440 --> 00:33:34.440
the guard spoke up. KYLE: He was like oh, you’ve got a hard hat on.

00:33:34.440 --> 00:33:39.420
You’re gonna be working hard, ha-ha. [00:35:00] Yeah. They were totally chill with it. They did

00:33:39.420 --> 00:33:45.480
even suspect a thing which I thought again, was very, very odd considering that it was three

00:33:45.480 --> 00:33:49.920
in the morning and he had just seen us in normal street clothes outside of the bathroom upstairs.

00:33:49.920 --> 00:33:56.820
It was very weird, a very weird occurrence. JACK: They walk out of the building, down the

00:33:56.820 --> 00:34:01.020
road, load their stuff up in the car, and leave. I don’t care who you are; that’s

00:34:01.020 --> 00:34:05.880
gotta give anyone an adrenaline rush. KYLE: Oh yeah, of course, man. As soon as the car

00:34:05.880 --> 00:34:13.620
doors close, that’s generally when it’s okay to kind of cut loose. We were not on camera anymore,

00:34:13.620 --> 00:34:20.580
there’s no way a client could hear us, there’s no one. We can be a little excited. We can get a

00:34:20.580 --> 00:34:26.640
little cocky amongst ourselves. We can have a good time and then get back to the hotel and party. If

00:34:26.640 --> 00:34:31.800
you’ve left the drop box there, honestly, that’s kind of the other half of the fun on physicals,

00:34:31.800 --> 00:34:36.000
where I leave the drop box and then we go back to the hotel and then you’re just hacking all night,

00:34:36.000 --> 00:34:40.260
having fun with whoever’s there with you or even your buddies who are out traveling

00:34:40.260 --> 00:34:43.860
on other engagements over the wire because you’re just passing the shell around.

00:34:43.860 --> 00:34:48.480
JACK: At this point they have a lot of stuff from this company to try to get them access

00:34:48.480 --> 00:34:52.800
into headquarters. But they don’t feel like they have enough yet. They want to

00:34:52.800 --> 00:34:57.840
hit one more site to see what they can take from there. They go to another city in another state

00:34:57.840 --> 00:35:03.000
to another office for this utility company. This is a smaller office than the last, much,

00:35:03.000 --> 00:35:09.060
much smaller. This office is in a medium-sized building, one story, with other companies that

00:35:09.060 --> 00:35:12.360
are also in this office building. KYLE: This is definitely one we have to

00:35:12.360 --> 00:35:16.620
hit at night. There’s no way we can do it during the day ‘cause the office is so small that unless

00:35:16.620 --> 00:35:21.780
we have an airtight cover story, they’re gonna know that we’re not supposed to be

00:35:21.780 --> 00:35:25.380
there and they’re gonna want to know who we are. Really small offices are just like that.

00:35:25.380 --> 00:35:30.180
JACK: The team arrives at the building at night. [MUSIC] They see a few cars in the parking lot and

00:35:30.180 --> 00:35:34.920
people coming and going from the front lobby. They discovered that other companies in this building

00:35:34.920 --> 00:35:41.040
have overnight workers, like a call center. They go up to the front door and it’s open. They get

00:35:41.040 --> 00:35:45.840
into the building. There are no guards since it’s a small building and the front door’s always open

00:35:45.840 --> 00:35:49.020
to let this overnight staff get in. KYLE: We didn’t really do a whole lot of

00:35:49.020 --> 00:35:53.580
recon in this case because the building was pretty straightforward; one level,

00:35:53.580 --> 00:35:57.720
just a long hallway with some doors. JACK: Kyle and his buddy go down the long

00:35:57.720 --> 00:36:01.800
hallway looking for the utility company inside. They finally find

00:36:01.800 --> 00:36:06.660
the door. It’s a glass door and they can see inside. It’s dark. Nobody’s in there.

00:36:06.660 --> 00:36:12.780
They pull on the door but it’s locked. KYLE: It was a glass door and it was

00:36:12.780 --> 00:36:17.820
one of those with the hook handles and the lock was inside of that. It wasn’t

00:36:17.820 --> 00:36:22.860
a deadbolt but it seemed industrial-grade. JACK: The team looks around. The hallway’s empty.

00:36:22.860 --> 00:36:28.260
There’s no security in the building and nobody seems to be around. They pull out some lock picks

00:36:28.260 --> 00:36:34.860
and begin trying to pick the lock. Kyle’s okay at this but his friend is much, much better. His

00:36:34.860 --> 00:36:40.800
friend kneels down and slowly tries to open the door. Now, I say slowly because picking a lock

00:36:40.800 --> 00:36:47.040
is usually not a quick process. There are two basic tools; a rake and a tension bar. The rake

00:36:47.040 --> 00:36:51.720
goes into the lock and pushes the pin up, ideally to the same position to where the key would push

00:36:51.720 --> 00:36:57.600
them up to, and then the tension bar is used to twist that lock open. On a tough lock you

00:36:57.600 --> 00:37:02.940
can literally try it hundreds if not thousands of times and get nowhere, and not even know if you’re

00:37:02.940 --> 00:37:08.700
anywhere close. When you try it, it either opens or doesn’t. Another big problem with picking locks

00:37:08.700 --> 00:37:14.040
is you don’t know if you need to twist the lock clockwise or counter clockwise to open it. Half

00:37:14.040 --> 00:37:19.140
your attempts have absolutely no chance of working since you’re twisting it in the wrong direction.

00:37:19.140 --> 00:37:22.860
Kyle waits nervously as his friend keeps trying to pick the lock.

00:37:22.860 --> 00:37:28.140
KYLE: I’m just peering down the hallway in both directions, trying not to look really

00:37:28.140 --> 00:37:34.260
weird as this guy’s obviously picking a lock right next to me. If anyone came around the

00:37:34.260 --> 00:37:40.200
corner this is not gonna be explainable other than he’s my locksmith. That’s all

00:37:40.200 --> 00:37:45.000
I had on me, that’s all I had prepared. JACK: Insert rake, push pins up, twist the lock;

00:37:45.000 --> 00:37:55.320
nothing. Push pins up, try to twist; nothing. Push, twist; nothing. Push, twist; nothing. Over

00:37:55.320 --> 00:38:01.980
and over he tries. To add to the stress, this is a very small office so they thought there might not

00:38:01.980 --> 00:38:05.760
be anything inside for them to even take. KYLE: It was stressful that we were sitting in

00:38:05.760 --> 00:38:10.980
this dark hallway working on a door handle for what we thought was basically no reason other than

00:38:10.980 --> 00:38:16.920
to appease the customer. If we got caught then we could have our cover blown for headquarters

00:38:16.920 --> 00:38:24.600
because the security incident could get reported to everyone there. They would then tell their

00:38:24.600 --> 00:38:28.740
parent companies or alert everyone in their offices, whatever their procedures are,

00:38:28.740 --> 00:38:34.560
and then our photos get e-mailed to headquarters. That stuff happens when you get caught doing dumb

00:38:34.560 --> 00:38:38.820
shit. [00:40:00] Yeah, it was a little nerve-wracking, especially like I said,

00:38:38.820 --> 00:38:43.140
we thought it was for probably nothing. JACK: After a while your hands start cramping

00:38:43.140 --> 00:38:47.220
up from this, your knees are getting sore from kneeling, and the pressure builds because you’re

00:38:47.220 --> 00:38:52.920
just hanging outside of an office for a long time looking really suspicious. Push, twist;

00:38:52.920 --> 00:38:59.220
nothing. Push, twist; nothing. But then push, twist; unlock. It worked! [MUSIC] They got the

00:38:59.220 --> 00:39:04.200
door open. Quickly they get inside. KYLE: We get in though, and we see there’s

00:39:04.200 --> 00:39:08.100
like eight desks in here. It’s all open. There’s a kitchenette,

00:39:08.100 --> 00:39:14.040
there’s a bathroom, and that’s it. There’s nothing. Why are we here?

00:39:14.040 --> 00:39:18.060
I guess let’s look around and see what sort of data we can get access to. Let’s see if the

00:39:18.060 --> 00:39:21.660
network’s any different. Let’s see. JACK: Because it’s a small office,

00:39:21.660 --> 00:39:26.400
they can comb through things a little bit more carefully. They look in people’s desk drawers

00:39:26.400 --> 00:39:31.140
for anything worthwhile. They look in filing cabinets, they even start looking through any

00:39:31.140 --> 00:39:37.260
backpacks that were left there overnight. KYLE: Well, as just by happenstance, it seemed

00:39:37.260 --> 00:39:41.100
that there was someone traveling to that office from headquarters

00:39:41.100 --> 00:39:46.380
that day or that week or that month. We don’t know. Maybe he had been relocated

00:39:46.380 --> 00:39:51.900
and just never sent back his original badge, but we found it in his backpack

00:39:51.900 --> 00:39:54.420
that he left at work. JACK: This badge looked like

00:39:54.420 --> 00:39:58.680
it would specifically work for the main headquarters, the main objective they

00:39:58.680 --> 00:40:03.960
needed to access. Finding this badge absolutely was worth the trip coming down here.