WEBVTT

00:00:01.680 --> 00:00:06.800
JACK: Hey, it’s Jack, host of the show. A long time ago I set up a file-sharing website at

00:00:06.800 --> 00:00:11.760
home on a Raspberry Pi. I set it up to make it easy to transfer files between me and anyone I

00:00:11.760 --> 00:00:17.040
needed to send files to. It was a simple website; drag and drop the file onto the webpage and boom,

00:00:17.040 --> 00:00:21.920
it’s hosted on my website for like, a week, and then it gets deleted. I knew it wasn’t secure

00:00:21.920 --> 00:00:26.960
so I never posted anything that was sensitive to it but I also took this opportunity to see

00:00:26.960 --> 00:00:32.160
if I could detect anyone trying to hack into the thing. I set up all my best sensors I had at home;

00:00:32.160 --> 00:00:37.280
a firewall, an intrusion detection system, full packet captures using Security Onion, I turned

00:00:37.280 --> 00:00:42.800
on tons of logging and watched but nothing happened. Nobody knew my site existed to even

00:00:42.800 --> 00:00:48.080
think about trying to exploit it. Oh, well. I forgot about that little website for years

00:00:48.080 --> 00:00:54.400
but last week I went to check on it and there was a suspicious file uploaded not by me. [MUSIC] I

00:00:54.400 --> 00:01:00.240
checked into it and whoa, someone uploaded an exploit and gained access to my Raspberry Pi.

00:01:00.240 --> 00:01:07.120
A hacker was in my house. Okay, jeez, quick, what do you do? Perhaps some people would feel

00:01:07.120 --> 00:01:13.840
freaked out, violated, or get anxiety because it’s scary knowing someone is in your computer looking

00:01:13.840 --> 00:01:20.960
at your stuff. You have no idea who they are. But me, well, I stayed calm because I expected

00:01:20.960 --> 00:01:25.760
this to happen so I isolated the whole thing on its own network and it just wasn’t possible for

00:01:25.760 --> 00:01:30.160
them to move to any other computer or get anything good off this Raspberry Pi. You could say this was

00:01:30.160 --> 00:01:34.320
sort of a honeypot. I traced their footsteps and looked at everything they did.

00:01:34.320 --> 00:01:39.600
Pfft, amateurs. They used an off-the-shelf PHP script to exploit the thing. They didn’t cover

00:01:39.600 --> 00:01:43.200
their tracks. They checked a few directories looking for anything good. This server had

00:01:43.200 --> 00:01:47.440
nothing, not even a database. They tried getting the root and hopping to some other devices in the

00:01:47.440 --> 00:01:53.440
network but yeah, no luck. This system wasn’t even allowed to connect to the internet so they left.

00:01:53.440 --> 00:01:58.320
Yeah, not really that exciting. I turned that Raspberry Pi off and reformatted the SD card.

00:01:58.320 --> 00:02:03.120
But you know what? I did learn something cool along the way, and we’re gonna get into a similar

00:02:03.120 --> 00:02:08.640
story today that I think you’ll learn something interesting too, on what to do when this happens

00:02:08.640 --> 00:02:15.200
in an important network. JACK (INTRO): [INTRO MUSIC]

00:02:15.200 --> 00:02:25.280
These are true stories from the dark side of the internet. I’m Jack Rhysider. This

00:02:25.280 --> 00:02:43.680
is Darknet Diaries. [INTRO MUSIC ENDS] JACK: [MUSIC]

00:02:43.680 --> 00:02:48.000
Okay, so this is another Mini-Stories episode. There are three stories in one. These are stories

00:02:48.000 --> 00:02:52.880
that are too good to pass up but not long enough to make into a whole episode. There are a few cuss

00:02:52.880 --> 00:02:58.960
words in this one, just to let you know. Alright, so let’s call some hackers. [SKYPE CALLING]

00:02:58.960 --> 00:03:00.320
Hello? DAVE: Can you hear me?

00:03:00.320 --> 00:03:06.000
JACK: This is Dave Kennedy. He’s quite known in the InfoSec space. He’s built some highly popular

00:03:06.000 --> 00:03:10.160
hacking tools and helped start DerbyCon which is a popular hacking conference in

00:03:10.160 --> 00:03:13.640
Kentucky. But probably the thing he’s most proud of, his crowning achievement…

00:03:13.640 --> 00:03:14.720
SEAN: Hi. JACK: …is this.

00:03:14.720 --> 00:03:16.240
SEAN: How are you? ELLIOT: One second,

00:03:16.240 --> 00:03:19.520
just finishing up an e-mail. JACK: This is a clip from Mr. Robot.

00:03:19.520 --> 00:03:23.840
Elliot, the character in the show, is trying to hide from someone and slips into a conference

00:03:23.840 --> 00:03:28.240
room and tries to social engineer his way into a meeting that’s in progress.

00:03:28.240 --> 00:03:32.400
ELLIOT: We should get started. SEAN: I think you’re in the wrong room.

00:03:32.400 --> 00:03:36.960
ELLIOT: I’m sorry, you are? SEAN: Sean, head of sales.

00:03:36.960 --> 00:03:43.840
ELLIOT: Sean, of course. Dave Kennedy. I work with Craig on the Q4 push.

00:03:43.840 --> 00:03:48.240
I had longer hair, then. JACK: Hah. There’s no coincidence that

00:03:48.240 --> 00:03:53.440
Elliot uses Dave Kenney as his fake name while trying to social engineer his way into this thing.

00:03:53.440 --> 00:03:59.360
It’s because Dave is a social engineer master. Dave’s reputation precedes him. So, how does a

00:03:59.360 --> 00:04:03.840
big-time InfoSec guy like this get started? Playing video games in high school.

00:04:03.840 --> 00:04:09.680
DAVE: I was programming MUDs back then and I was one of the guys that ran the actual

00:04:09.680 --> 00:04:12.480
MUD and kind of promoted it and grew it and everything else. That’s where

00:04:12.480 --> 00:04:16.560
I started learning some C and C ++. JACK: MUD stands for Multi-User Dungeon.

00:04:16.560 --> 00:04:21.120
Think of it like World of Warcraft but with absolutely no graphics. It’s all text-based

00:04:21.120 --> 00:04:25.440
but still online where you can group up and quest, and raid, and fight everything. He

00:04:25.440 --> 00:04:30.240
realized college wasn’t right for him after high school so he decided to join the army. [MUSIC] He

00:04:30.240 --> 00:04:34.480
headed down to the army recruiter’s office. DAVE: The guys just didn’t seem very happy there

00:04:34.480 --> 00:04:38.320
and I’m like man, why would I want to join this if the folks that are trying to recruit me aren’t

00:04:38.320 --> 00:04:43.120
happy about their jobs or what they’re doing? I was actually walking out; I’m not even gonna join

00:04:43.120 --> 00:04:48.640
the military and I saw these four really buff marines walking in-sync and they’re wearing the

00:04:48.640 --> 00:04:54.080
dressed blues and just looked sharp as heck. I was like man, I want to be like that. I walked into

00:04:54.080 --> 00:04:59.360
the marine recruiting station and I was a really overweight kid and didn’t have a lot of physical

00:04:59.360 --> 00:05:03.120
fitness or anything like that. I said hey, [00:05:00] I want to become a marine.

00:05:03.120 --> 00:05:09.360
I tested very highly on the ASVAB which is the aptitude test for the military. What was great

00:05:09.360 --> 00:05:14.320
about the Marine Corps is they guarantee your position and I wanted to do something

00:05:14.320 --> 00:05:21.040
like hacking and wanted to get into more of the intelligence side of things. I was able to go into

00:05:21.040 --> 00:05:24.080
the military intelligence side and work in signals intelligence which was a ton of fun.

00:05:24.080 --> 00:05:31.440
JACK: He was stationed in Hawaii in Ford Meade and did two tours in Iraq. He got to do fun stuff like

00:05:31.440 --> 00:05:36.640
forensics and research and cyber-warfare. He got out of the military and joined a small consulting

00:05:36.640 --> 00:05:42.080
shop. Back then penetration testing and security in general was in its early stages. Social

00:05:42.080 --> 00:05:46.320
engineering, the deceptively benign-sounding name for tricking people into giving up their

00:05:46.320 --> 00:05:51.440
passwords, that really wasn’t that big of a thing yet. Web applications weren’t really getting that

00:05:51.440 --> 00:05:56.800
much attention from the security professionals. Dave headed up the penetration testing division,

00:05:56.800 --> 00:06:01.680
then eventually became the VP of consulting and it was at this, his first job, where he

00:06:01.680 --> 00:06:05.680
learned a lot of new skills and different programming languages like Python.

00:06:05.680 --> 00:06:11.040
DAVE: Then I had a really great opportunity hit me to be the Chief Security Officer over at Diebold

00:06:11.040 --> 00:06:16.160
which at the time I think I was like twenty-six or twenty-seven years old which was awesome,

00:06:16.160 --> 00:06:21.600
being a VP of a – security of a Fortune 1000 company. Really had no idea what I was doing but

00:06:21.600 --> 00:06:24.320
it turned out to be a really, really awesome position. I learned a ton from that.

00:06:24.320 --> 00:06:29.200
JACK: Twenty-seven and the VP of a Fortune 1000 company? Whoa. He was

00:06:29.200 --> 00:06:34.080
young and motivated to learn. He picked up all kinds of skills that he used to then start up

00:06:34.080 --> 00:06:38.720
his own company which he called TrustedSec and then he started Binary Defense.

00:06:38.720 --> 00:06:43.200
DAVE: TrustedSec is a information security consulting company. I started it literally in the

00:06:43.200 --> 00:06:48.720
basement of my house, and Binary Defense as well. I started Binary Defense and they’re both two

00:06:48.720 --> 00:06:53.600
different companies, two separate companies, and I did that for a very specific reason. Consulting

00:06:53.600 --> 00:06:58.400
is very specific and I didn’t feel like we could be the same company doing the same work and also

00:06:58.400 --> 00:07:02.160
doing the monitoring, detection of an organization as well, like giving heads up or making ourselves

00:07:02.160 --> 00:07:06.080
look good when we’re doing an assessment. I really split the companies up early on. I

00:07:06.080 --> 00:07:11.200
think we have about 162 employees now. JACK: The story we’re talking about today is

00:07:11.200 --> 00:07:16.480
about an assignment with TrustedSec. For this engagement, the client was a large retail company

00:07:16.480 --> 00:07:22.240
with retail stores all over the US and they wanted Dave to test the security of the store.

00:07:22.240 --> 00:07:25.040
DAVE: [MUSIC] We had a few objectives; one is to be able to steal stuff from

00:07:25.040 --> 00:07:28.480
the store. The other objectives were to get access to the corporate headquarters.

00:07:28.480 --> 00:07:30.880
JACK: Steal stuff from the store is actually going into the store

00:07:30.880 --> 00:07:35.360
and grabbing stuff off the shelves? DAVE: Oh yeah. Yeah, absolutely. As well as

00:07:35.360 --> 00:07:40.240
could you get access to the back-store area where they have the point-of-sale systems and

00:07:40.240 --> 00:07:44.080
the base servers. Could we get into them and plant stuff in? It was a lot of fun.

00:07:44.080 --> 00:07:48.240
JACK: If you think about it, this type of work is simply quality assurance. Companies have been

00:07:48.240 --> 00:07:53.440
doing quality assurance testing for decades, making sure their product is within spec. Now

00:07:53.440 --> 00:07:58.400
in the modern age, the way some companies test quality assurance is to hire a bad guy

00:07:58.400 --> 00:08:02.480
to see how good their security is. DAVE: We did some reconnaissance ahead of

00:08:02.480 --> 00:08:07.120
time. We went to the store, purchased a couple of things legitimately, went to a different store,

00:08:07.120 --> 00:08:10.560
looked at who the employees were, how they operated when they took lunch breaks, the least

00:08:10.560 --> 00:08:14.480
amount of personnel during times. We had all of that kind of mapped out for when we were

00:08:14.480 --> 00:08:18.640
actively going after this organization. JACK: While he was there, he noticed these stores

00:08:18.640 --> 00:08:24.720
all have LP. You know what LP is, right? It’s Loss Prevention and it’s typically a person

00:08:24.720 --> 00:08:30.000
standing near the front door of the store watching every customer coming in and going out to prevent

00:08:30.000 --> 00:08:35.520
people like Dave from stealing things. First, Dave got to test how good their LP is.

00:08:35.520 --> 00:08:39.760
DAVE: If you come in wearing a suit, you’re pretty much not going to be looked upon. You come in

00:08:39.760 --> 00:08:46.320
dressed up as a – ripped jeans and dirty hair, or something like that, I don’t know, looking

00:08:46.320 --> 00:08:52.640
suspicious, looking to your left and right; maybe that’s a way that you get identified. But for us,

00:08:52.640 --> 00:08:57.920
we usually come in looking professional and looking in a way that we’re not suspicious. We’re

00:08:57.920 --> 00:09:00.800
not looking over our shoulders. We’re not looking nervous; we’re looking like a customer. We might

00:09:00.800 --> 00:09:07.600
actually buy some things with cash just to throw everything off. It’s more so just trying to be

00:09:07.600 --> 00:09:10.880
and act like you play a part of that role and that you fit. We just started

00:09:10.880 --> 00:09:15.600
grabbing a bunch of things from the store, shoved them into our backpacks.

00:09:15.600 --> 00:09:21.280
JACK: During this time, the LP is looking for shoplifters but Dave brought help to handle that,

00:09:21.280 --> 00:09:25.520
a second person to distract the LP. DAVE: It’s very difficult to keep an eye on

00:09:25.520 --> 00:09:29.920
everybody that’s in the store so there’s only a finite amount of personnel. If you can do some

00:09:29.920 --> 00:09:35.040
distractions in different locations that have much lower levels of personnel, you have a much higher

00:09:35.040 --> 00:09:40.880
percentage of being successful. Things that can take time away from the person, like if we have

00:09:40.880 --> 00:09:44.960
two people, we can do a diversion for one; have them communicate and talk. The other person’s

00:09:44.960 --> 00:09:49.840
doing nefarious things. That works out really well with us when we have two people doing it.

00:09:49.840 --> 00:09:54.400
JACK: At this point, Dave has a bag full of stuff he stole and is walking around the store.

00:09:54.400 --> 00:09:57.840
This is a multi-floor store so he goes up to the second floor

00:09:57.840 --> 00:10:00.320
and he even goes up to the third floor. DAVE: When we walked in the store, it’s just

00:10:00.320 --> 00:10:04.560
a regular person. [00:10:00] When they weren’t looking, we just went into the back. [MUSIC] We

00:10:04.560 --> 00:10:08.160
were basically in the back for I don’t know, twenty minutes, thirty minutes. We have these

00:10:08.160 --> 00:10:13.040
little devices that we call TAP devices that have cellular communications so we don’t have to worry

00:10:13.040 --> 00:10:16.720
about the firewalls but it still allows direct access to their network. We plug that into another

00:10:16.720 --> 00:10:20.640
network that has two ports on it. Just unplug the one Ethernet cable, plug the other one in,

00:10:20.640 --> 00:10:24.800
and then was able to basically have direct access to their back-end infrastructure,

00:10:24.800 --> 00:10:29.120
their card-holder environment and the retail’s enterprise network.

00:10:29.120 --> 00:10:34.640
JACK: Okay, he’s stolen stuff and now tapped into the network and got access into their back-end

00:10:34.640 --> 00:10:39.280
infrastructure through this network port. DAVE: They had iPads for cashing people out and

00:10:39.280 --> 00:10:47.360
things like that. We took two of the iPads. JACK: Jeez, Dave is on a roll here. Now they have

00:10:47.360 --> 00:10:51.840
access to customer credit card information and internal company data. They came out from

00:10:51.840 --> 00:10:55.280
the back room to see what other things they could take from the store.

00:10:55.280 --> 00:11:01.760
DAVE: Then we saw the cash register and it was on this podium. We just had one of our

00:11:01.760 --> 00:11:06.160
folks – there was two of us. One of them was just basically asking about a bunch of stuff.

00:11:06.160 --> 00:11:11.760
JACK: He was distracting the LP. DAVE: I basically took a screwdriver and

00:11:11.760 --> 00:11:16.720
removed it from the back, unbolted it from the thing and walked out with the cash register.

00:11:16.720 --> 00:11:20.640
This is a big cash register; this isn’t like a small thing. I took the whole cash register

00:11:20.640 --> 00:11:26.240
with all the money inside of it. I mean, it’s extremely heavy. I carried that out, literally,

00:11:26.240 --> 00:11:30.000
and walked out of the store without anybody – one of the employees looked at me and kind of looked

00:11:30.000 --> 00:11:35.040
at me weird but then I just kinda waved and walked out and that was the end of the story. We walked

00:11:35.040 --> 00:11:38.720
out, got in our car, and drove off. JACK: Dave walks out of the store with a big

00:11:38.720 --> 00:11:44.080
old heavy cash register full of cash, two iPads in his backpack, and a ton of other

00:11:44.080 --> 00:11:50.560
store merchandise. Unbelievable. DAVE: You know, it’s a rush. I get nervous

00:11:50.560 --> 00:11:54.160
every single time I still do it. JACK: Dave now tries to test another store

00:11:54.160 --> 00:11:58.000
to see how they’d handle him. DAVE: For one of the stores, we called

00:11:58.000 --> 00:12:02.320
ahead and we spoofed our number coming from the corporate offices and claimed to be one of their

00:12:02.320 --> 00:12:06.000
main IT folks, and that we were going to be doing an upgrade to the store location

00:12:06.000 --> 00:12:09.040
for faster bandwidth and everything else. They were super excited about that so they let us

00:12:09.040 --> 00:12:12.960
right in. We had fake business cards. JACK: This is one of Dave’s specialties; social

00:12:12.960 --> 00:12:18.160
engineering, spoofing phone numbers, acting like IT from corporate office. He’s a master at this.

00:12:18.160 --> 00:12:23.040
When he did this, it worked like a charm. They escorted him right into the back room, showed him

00:12:23.040 --> 00:12:28.240
the computers, and left him there unsupervised for thirty minutes while he hacked into the network.

00:12:28.240 --> 00:12:33.040
Again, unbelievable. Dave explained to the head of security how they could get into

00:12:33.040 --> 00:12:38.160
everything so easily and this kind of shocked him. They wanted Dave to now test the security

00:12:38.160 --> 00:12:42.640
in their corporate headquarters to see if they could break into the data center there.

00:12:42.640 --> 00:12:44.960
DAVE: Here’s where we actually got busted. It wasn’t the store

00:12:44.960 --> 00:12:48.560
location that didn’t have the most amount of security; it was the enterprise location that

00:12:48.560 --> 00:12:51.200
didn’t have much security at all. JACK: First, they had to figure out how to

00:12:51.200 --> 00:12:55.280
get into the building of headquarters. DAVE: What we did is, we looked at the front

00:12:55.280 --> 00:13:00.400
location. The front location, you had a lot of people badging in. However, one of the side doors,

00:13:00.400 --> 00:13:04.320
people could just walk out. You didn’t see anybody walking in but you could see people walking out,

00:13:04.320 --> 00:13:10.640
especially during lunch and dinner, things like that. During lunchtime, we waited outside and

00:13:10.640 --> 00:13:14.560
saw somebody walking out and we just pretending to be on the phone. We’re dressed up in a suit.

00:13:14.560 --> 00:13:17.280
As soon as the door was about to close, we grabbed it and we walked right in. It was really

00:13:17.280 --> 00:13:22.880
easy to get into the building itself. JACK: [MUSIC] It’s easy for Dave because he

00:13:22.880 --> 00:13:26.720
knows all the tricks and has done this a bunch of times. When you do something a lot, you get

00:13:26.720 --> 00:13:29.760
pretty confident with what you’re doing. DAVE: You just walk around like you belong.

00:13:29.760 --> 00:13:33.920
You walk around, you pretend that you’re on the phone. You’re with somebody else,

00:13:33.920 --> 00:13:36.560
you’re pointing at something, you’re pretending that you’re having a meeting.

00:13:36.560 --> 00:13:39.920
You just keep walking around the building until you find the objectives that you need.

00:13:39.920 --> 00:13:43.200
We found the data center. The data center was locked and there wasn’t a lot of traffic,

00:13:43.200 --> 00:13:48.560
especially during lunchtime. We went to this conference room which was a

00:13:48.560 --> 00:13:52.000
conference room tucked away on the side. JACK: They sat down and acted like they belonged

00:13:52.000 --> 00:13:57.360
there. From here, they planned their next steps. They wanted in the data center but that door was

00:13:57.360 --> 00:14:02.640
locked and chances are, it’s harder to piggy back into a data center and just follow someone else

00:14:02.640 --> 00:14:07.200
in. But a good social engineer doesn’t always have everything planned out. Sometimes they

00:14:07.200 --> 00:14:11.920
just have to take it step by step, see how far they can get, and then figure out what they can

00:14:11.920 --> 00:14:16.800
do from there. They looked around to see what they could use in this conference room.

00:14:16.800 --> 00:14:22.080
DAVE: There was a conference bridge on there, like a phone there. We called from the bridge and I

00:14:22.080 --> 00:14:25.520
called the data center number. The way that I was able to do that was first calling the receptionist

00:14:25.520 --> 00:14:30.960
first and saying hey, what’s the data center’s extension? They gave it to me, then I called the

00:14:30.960 --> 00:14:36.080
extension. Before we called the extension, we did some research on individual people in the company

00:14:36.080 --> 00:14:40.800
and I found a person in IT that had access to the data center so I called this phone.

00:14:40.800 --> 00:14:45.440
I’m like hey, let’s say his name’s Bob. I’m like hey, it’s Bob, I’m here with a bunch of auditors

00:14:45.440 --> 00:14:54.240
for PCI work. They need to do just a quick site audit of the data center. Could you let them in

00:14:54.240 --> 00:15:00.400
just so we can get this last part of this compliance thing taken care of for the

00:15:00.400 --> 00:15:04.240
Payment [00:15:00] Card Industry? Threw out a bunch of acronyms, things like that. The person

00:15:04.240 --> 00:15:09.120
at the data center was like hey, who did you say you were again? I’m like oh hey, it’s Bob.

00:15:09.120 --> 00:15:13.760
Just trying to get this audit done. He’s like I’m best friends with Bob and you’re definitely not

00:15:13.760 --> 00:15:17.840
Bob. I don’t know who you are or why you’re calling from a conference room that’s downstairs,

00:15:17.840 --> 00:15:23.200
but something’s not right here. JACK:

00:15:23.200 --> 00:15:28.240
Shoot, he’s been caught. Of all the people to impersonate, he picked someone that person on the

00:15:28.240 --> 00:15:32.240
phone actually knew. Quick, what do you do? DAVE: We rushed out of the building really

00:15:32.240 --> 00:15:37.280
quick before we got busted. JACK: Dave escapes and that’s always the

00:15:37.280 --> 00:15:42.560
second objective to a social engineer if they get caught, to try to escape because part of this is

00:15:42.560 --> 00:15:47.360
testing their incident response. Their response was pretty poor if they let Dave get away.

00:15:47.360 --> 00:15:51.760
But Dave’s objective was not complete. The company tasked him with getting into the data center so he

00:15:51.760 --> 00:15:56.400
needs to go back and try again. But now on one hand, he knows more about the location

00:15:56.400 --> 00:16:00.880
and on the other hand, it might be trickier because maybe they’re on high alert now.

00:16:00.880 --> 00:16:06.720
DAVE: We rebroke back in two days later, same method for piggy-backing,

00:16:06.720 --> 00:16:11.280
and then we waited past lunch until everybody came back and we just sat.

00:16:11.280 --> 00:16:15.600
There was a little break room right outside the data center and we just sat and watched who had

00:16:15.600 --> 00:16:20.480
access to the data center and who didn’t. JACK: [MUSIC]

00:16:20.480 --> 00:16:25.520
They noticed to get into the data center, you need an RFID badge. This is one of those proximity

00:16:25.520 --> 00:16:30.160
cards where you swipe a credit card-looking thing near the door and it unlocks the door.

00:16:30.160 --> 00:16:34.000
Well, they came prepared for that. DAVE: We’ve created our own custom backpacks

00:16:34.000 --> 00:16:38.320
that are over-amplified and we can usually get a little bit of distance, a few inches

00:16:38.320 --> 00:16:43.440
away from an individual and their badge and be able to collect. We can just walk past somebody

00:16:43.440 --> 00:16:48.880
and clone their badge and be able to replicate it. We can clone as many you want to. We can actually

00:16:48.880 --> 00:16:55.600
imprint new badges. What we usually do is we’ll get pictures from outside the facility of their

00:16:55.600 --> 00:17:01.200
badges and then we have a printer in our car; it’s like a portable printer. We’ll print badge IDs

00:17:01.200 --> 00:17:06.960
that look like theirs as well, with our pictures on it. Then we’ll just imprint those badges

00:17:06.960 --> 00:17:12.960
with their identification and their badge cloning. Just by walking past them you can literally just

00:17:12.960 --> 00:17:16.800
clone a badge, as many as you want to. JACK: They do just that. They prepare to use their

00:17:16.800 --> 00:17:22.400
RFID key card cloning machine to walk past someone coming in or out of the data center, clone it,

00:17:22.400 --> 00:17:27.440
and then go make a copy off-site. As they’re watching people go in and out of the data

00:17:27.440 --> 00:17:31.840
center, they pick someone, a mark. DAVE: We’re able to walk past the person,

00:17:31.840 --> 00:17:36.800
grab them and say hey, I’m a new employee here, blah, blah, blah, just ask a bunch of questions.

00:17:36.800 --> 00:17:42.160
We cloned his badge at the same time. JACK: Success, they got the digital key they

00:17:42.160 --> 00:17:45.680
need to get into the data center. They need to leave and go print

00:17:45.680 --> 00:17:51.280
it on a badge. They pack up and head out. DAVE: Came back at night, badged ourselves in, and

00:17:51.280 --> 00:17:54.560
got into the data center that way. We signed in as we were supposed to ‘cause there was somebody

00:17:54.560 --> 00:17:59.120
in there. Didn’t even question us or ask us, just kind of looked at us. We signed in, they went back

00:17:59.120 --> 00:18:04.800
to their computer, and then we essentially had free access to roam the data center. What we did

00:18:04.800 --> 00:18:10.640
is we placed another TAP device in one of the core networking switches which gave us – we confirmed

00:18:10.640 --> 00:18:15.520
the DHCP and we were able to communicate with different things. Once we had that,

00:18:15.520 --> 00:18:21.760
we essentially had direct access to their entire environment; took pictures, and selfies, things

00:18:21.760 --> 00:18:24.240
like that. There was actually a bathroom in the data center which I thought was really weird, so

00:18:24.240 --> 00:18:29.360
we used the bathroom. Then we walked out. JACK: Mission accomplished. Feels good. But

00:18:29.360 --> 00:18:34.320
Dave is in a funny place because when he’s successful, it means his client’s security

00:18:34.320 --> 00:18:37.760
wasn’t strong enough. It sort of means he has to go to them with bad news.

00:18:37.760 --> 00:18:43.280
DAVE: It’s almost always shock. They assume that they have problems or exposures

00:18:43.280 --> 00:18:48.720
but they probably don’t realize to what extent that is. Our job isn’t to say listen, you’re

00:18:48.720 --> 00:18:53.200
doing all this wrong. Our job is to highlight the things that they’re doing well, as well.

00:18:53.200 --> 00:18:55.600
Here’s the things that you did well and here’s the things that actually thwarted or stopped

00:18:55.600 --> 00:19:00.720
us. Here’s the things that you do very good and here are some of the things that we identified

00:19:00.720 --> 00:19:05.600
that are really good for you to address based on criticality or risk towards your organization,

00:19:05.600 --> 00:19:09.520
and here’s how you address them. Here’s how you fix them. It’s not just about smashing

00:19:09.520 --> 00:19:14.000
and grabbing and being an awesome hacker and doing all these crazy things. It’s really about making

00:19:14.000 --> 00:19:17.600
the customer better, making the people that you’re testing better in the long run.

00:19:17.600 --> 00:19:21.040
I think that’s really important that we lose a lot in this industry of,

00:19:21.040 --> 00:19:25.920
is that most folks just focus on hey, I’m the best hacker in the world. I just destroyed everything.

00:19:25.920 --> 00:19:30.320
Good luck. Then kinda leave it there, whereas as an industry, we really have to focus more

00:19:30.320 --> 00:19:34.080
on the teaching aspects around hey, how do they actually fix this, how do they actually address

00:19:34.080 --> 00:19:38.320
it? What are the things that they could do to get better and make it harder for attackers to get

00:19:38.320 --> 00:19:41.600
in? That’s really our ultimate goal. JACK: Dave met with the company and coached

00:19:41.600 --> 00:19:45.920
them how to shore up their defenses. As you may have guessed, this episode and past episodes,

00:19:45.920 --> 00:19:51.520
those RFID badges, yeah, they’re vulnerable to cloning which makes it easy to bypass those locks.

00:19:51.520 --> 00:19:55.520
Some companies have moved away from using badges like this and have switched to something else

00:19:55.520 --> 00:20:00.160
like maybe a magnetic stripe card which has its own weaknesses but it makes cloning it a

00:20:00.160 --> 00:20:04.720
little bit harder. [00:20:00] Other companies require a biometric ID to get into doors,

00:20:04.720 --> 00:20:09.840
so like a fingerprint or an eye scanner. I’ve been in a big data center that did all

00:20:09.840 --> 00:20:15.440
this and more; an RFID badge just to get into the parking lot, a pin to get into the building, then

00:20:15.440 --> 00:20:20.240
to get into the data center area in the building you had to swipe a magnetic card, enter a little

00:20:20.240 --> 00:20:25.120
chamber which weighed you, and then did a retina scan and then allowed only one person through at

00:20:25.120 --> 00:20:30.240
a time with a guard watching every single person coming in and out. Then to top it off, I needed

00:20:30.240 --> 00:20:35.280
an old-fashioned, regular key to get into the actual cage where my client’s servers were. Oh,

00:20:35.280 --> 00:20:40.160
and as a side note, I thwarted all this security a few times and snuck my girlfriend in without going

00:20:40.160 --> 00:20:45.440
through any of this but that’s another story. Dave gave a bunch of tips to this client.

00:20:45.440 --> 00:20:52.080
DAVE: When we debriefed them, we worked with them again the next year, and they had really

00:20:52.080 --> 00:20:57.280
taken the results and addressed them. They ended up switching to a different solution and away from

00:20:57.280 --> 00:21:02.560
proximity cards. They actually did a technology improvement and enhancement and put also

00:21:02.560 --> 00:21:06.320
additional controls in place like instead of that back area being there, you had to go through

00:21:06.320 --> 00:21:10.640
mantraps and things like that to get in and out of the building. They did a really good job and

00:21:10.640 --> 00:21:16.000
we actually got busted the year after that in both the retail location store as well as the corporate

00:21:16.000 --> 00:21:31.920
headquarters. It was a good success story. JACK:

00:21:31.920 --> 00:21:34.560
[MUSIC] Yeah, might as well start out with your name and what do you do?

00:21:34.560 --> 00:21:41.680
CLAY: My name is Clay. I am an InfoSec engineer. I work at a university

00:21:41.680 --> 00:21:47.440
so I’m InfoSec for an entire school. Yeah, we have a lot of Linux machines. We’ve

00:21:47.440 --> 00:21:52.640
also been migrating a lot to the Cloud. JACK: Clay does a lot of IT work for this school,

00:21:52.640 --> 00:21:58.080
this big university, ranging from anything from coding to system administration,

00:21:58.080 --> 00:22:02.480
web app security, setting up the network, and even doing penetration tests.

00:22:02.480 --> 00:22:07.440
CLAY: I also help generate best practices if they have – if sysadmins or programmers have questions,

00:22:07.440 --> 00:22:11.200
they can come to me and if I don’t know the answer off the top of my head,

00:22:11.200 --> 00:22:16.160
I do the research and get back to them. JACK: One of Clay’s responsibilities is to take

00:22:16.160 --> 00:22:20.640
care of threats that are found in the network. One thing he battles a lot with is…

00:22:20.640 --> 00:22:29.040
CLAY: Cryptominers. [MUSIC] Being in this environment, in academia, it’s really hard to have

00:22:29.040 --> 00:22:33.600
all of the systems on the network managed. JACK: A managed system is just a computer that

00:22:33.600 --> 00:22:38.800
Clay is aware of and can access, and somewhat control. An unmanaged computer on the network,

00:22:38.800 --> 00:22:43.200
Clay has no control over it and may not even know it exists. Obviously if you’re a system

00:22:43.200 --> 00:22:47.360
admin, you want to be able to access all the computers on your network but at the same time,

00:22:47.360 --> 00:22:52.480
it’s impossible to manage every computer at a university; students bring their own devices

00:22:52.480 --> 00:22:57.440
into the network all the time. But yeah, something Clay battles with frequently is cryptominers. This

00:22:57.440 --> 00:23:02.560
is where a student might install a Bitcoin miner on a computer in the lab or in a research center,

00:23:02.560 --> 00:23:06.720
and then the Bitcoin miner will consume a ton of CPU or graphics processing to try

00:23:06.720 --> 00:23:11.840
to generate some crypto-coins and automatically get deposited into the student’s wallet, and will

00:23:11.840 --> 00:23:18.560
actually get an alert when this happens. CLAY: We have an IDS in place. That’s typically

00:23:18.560 --> 00:23:23.920
how we’ll be notified of these events. JACK: An IDS stands for Intrusion Detection

00:23:23.920 --> 00:23:28.240
System. This is a device that inspects every packet coming in or out of the network and checks

00:23:28.240 --> 00:23:33.440
to see if that packet matches any known signature for some kind of security issue. In this case,

00:23:33.440 --> 00:23:37.920
it matches the signature for cryptomining because when it connects to the block chain or pools,

00:23:37.920 --> 00:23:41.440
or whatever, it then recognizes this as a miner and triggers an alert.

00:23:41.440 --> 00:23:49.600
CLAY: Yeah, then the fun begins. We can isolate the machine, usually myself and a sysadmin just so

00:23:49.600 --> 00:23:54.560
we have two pairs of eyes. It’s always better than one. We’ll go and we’ll start the investigation.

00:23:54.560 --> 00:24:00.160
We’ll look at running processes, we’ll look at the bash history, things like that. We’ll

00:24:00.160 --> 00:24:06.720
look at open ports. [00:25:00] If it’s like running netstat, we can see if it’s listening or

00:24:06.720 --> 00:24:12.480
if there’s a connection that is established. There isn’t always

00:24:12.480 --> 00:24:16.400
but yeah, we look at all those things. JACK: It’s fun because when detecting something

00:24:16.400 --> 00:24:21.680
as wrong in the network and then you find it and isolate it and squish it, it’s just exciting.

00:24:21.680 --> 00:24:26.880
As a sysadmin, most of your job isn’t tackling live security issues so when it’s happening,

00:24:26.880 --> 00:24:31.520
it is exciting. Honestly, it’s always fun to catch someone in the act that’s doing something

00:24:31.520 --> 00:24:35.520
they shouldn’t be doing and go and bonk them on the head and tell them not to do that anymore

00:24:35.520 --> 00:24:39.920
because they’re usually blown away that you’ve figured out it was them. This paints a picture

00:24:39.920 --> 00:24:45.680
of what kind of stuff Clay works on. But Clay also sometimes does this on the side a little. He

00:24:45.680 --> 00:24:49.760
has a few clients and he helps secure their network. When they have an issue, they call

00:24:49.760 --> 00:24:55.600
him up. One day, they gave him a call. CLAY: This was just a normal day at work. I

00:24:55.600 --> 00:25:00.960
got an e-mail from the client. Something doesn’t seem right; something doesn’t look

00:25:00.960 --> 00:25:10.960
right. The application is acting kind of funky or something’s off. I’m like okay well, let me grab a

00:25:10.960 --> 00:25:15.440
cup of coffee and come and check it out. JACK: Basically, one of the faculty or staff

00:25:15.440 --> 00:25:19.680
at the school was complaining about a slow website which was running Linux

00:25:19.680 --> 00:25:25.200
which is a server that Clay can access and check into. The Linux server runs this website and Clay

00:25:25.200 --> 00:25:30.560
looks around at the thing. He’s checking things like does the website load? Yeah, it does. It’s

00:25:30.560 --> 00:25:37.680
working okay. Is the server running high CPU or is low on disk space? No, that’s fine, too.

00:25:37.680 --> 00:25:44.240
Things seem okay and maybe a junior-level sysadmin would stop here and just try to let it sort itself

00:25:44.240 --> 00:25:50.720
out or reboot the machine and be done. But Clay is not a junior sysadmin. He’s a senior security

00:25:50.720 --> 00:25:58.160
engineer so he takes another look. CLAY: [MUSIC] I want to see who’s logged in,

00:25:58.160 --> 00:26:01.920
if anyone is logged in. JACK: He checks here to see if any

00:26:01.920 --> 00:26:05.840
developers are in there messing around or another sysadmin doing something or

00:26:05.840 --> 00:26:11.040
anyone fiddling with this. He doesn’t see anyone else there so he does his usual rounds.

00:26:11.040 --> 00:26:18.160
CLAY: [MUSIC] Is the database up and running? Is the VPN up and running? How does that look?

00:26:18.160 --> 00:26:25.680
Just standard stuff, right, looking over the whole application site, making sure things are running,

00:26:25.680 --> 00:26:32.160
doing a quick top making sure nothing is running extremely high, taking up a lot of load, using

00:26:32.160 --> 00:26:37.120
a lot of memory, those sorts of things. JACK: At first glance all this seems okay still.

00:26:37.120 --> 00:26:40.160
But then a second look through everything, he

00:26:40.160 --> 00:26:44.400
finds something. CLAY: I found

00:26:44.400 --> 00:26:50.240
that there was a root shell open. JACK: [BEEPING] A root shell is open on this

00:26:50.240 --> 00:26:57.600
server. Let me explain; on Linux, this super user or administrator is called root. [MUSIC] This user

00:26:57.600 --> 00:27:03.120
account has full privileges to everything on the server. What Clay sees is that someone is logged

00:27:03.120 --> 00:27:08.080
in as root. Having a shell is another way of saying someone’s logged into the command line.

00:27:08.080 --> 00:27:13.280
Now, you and I might think oh, it’s just another administrator doing work, but the school has set

00:27:13.280 --> 00:27:18.720
up the network correctly. See, it’s not good to allow anyone to log in as root because

00:27:18.720 --> 00:27:24.480
you have no idea who that is logged in as root, and every hacker on the planet knows this username

00:27:24.480 --> 00:27:30.240
exists and will try to brute-force the password to it if you give them a chance. The school set it up

00:27:30.240 --> 00:27:36.240
so that individual users like Clay’s username, has access and admin capabilities and super user

00:27:36.240 --> 00:27:43.760
privileges. Clay knows that under no circumstance should anyone ever be logged in as root, but here

00:27:43.760 --> 00:27:48.080
there is. Someone is logged in as root. CLAY: I immediately start thinking to myself,

00:27:48.080 --> 00:27:54.800
oh crap. We do have a compromise. It is a root-level compromise. Now

00:27:54.800 --> 00:28:02.400
my heart starts pounding a little bit stronger and I start thinking well hell,

00:28:02.400 --> 00:28:07.520
what the hell do I do next? JACK: Okay, so in the physical world

00:28:07.520 --> 00:28:12.080
this is equivalent to coming home and seeing your front door is wide open and there are muddy

00:28:12.080 --> 00:28:17.200
tracks leading into your house. The feeling of discovering someone is in your server

00:28:17.200 --> 00:28:23.520
that shouldn’t be there and for them to have root level access to it is really, really scary.

00:28:23.520 --> 00:28:28.880
CLAY: I looked to see how they got in and block it. Do I just sever the

00:28:28.880 --> 00:28:37.120
connection and hope they don’t come back before I can patch the stuff, or what? All of these

00:28:37.120 --> 00:28:43.840
thoughts are just racing through my mind. JACK: Clay takes a step back, and a deep breath.

00:28:43.840 --> 00:28:47.440
All of a sudden, he’s hyper-focused on this issue now. Anything else that he was

00:28:47.440 --> 00:28:52.400
thinking about doing that day is no longer in his thoughts. This is all he can think about.

00:28:52.400 --> 00:28:57.600
CLAY: I said well, the best thing to do is determine how the hell they got in and try

00:28:57.600 --> 00:29:03.280
not to make a lot of noise on the system while I’m doing this because I don’t [00:30:00] know

00:29:03.280 --> 00:29:08.160
if they’re active, if they’re like sitting at the shell actively looking at stuff,

00:29:08.160 --> 00:29:13.200
or if they just have a shell open and it’s in the background. Or maybe that shell is just

00:29:13.200 --> 00:29:19.840
waiting for a command or something. I don’t know exactly what’s going on so I want to be careful

00:29:19.840 --> 00:29:27.920
and I want to go slowly, and I want to find out what the hell happened.

00:29:27.920 --> 00:29:35.120
[MUSIC] Being a web application, I knew it had to be probably

00:29:35.120 --> 00:29:40.800
SQL injection. Cross-site scripting thing probably wouldn’t lead to this level of compromise,

00:29:40.800 --> 00:29:43.760
at least not right away. I started looking at the database.

00:29:43.760 --> 00:29:48.720
JACK: This web server was running an SQL database. This is where all the data is

00:29:48.720 --> 00:29:53.680
stored for the website. Clay was looking at the history of commands executed in the database,

00:29:53.680 --> 00:29:58.720
trying to find anything unusual. CLAY: I started looking at some of the pages that

00:29:58.720 --> 00:30:05.360
used the database more heavily than others. I did start to notice some weird shit in the database,

00:30:05.360 --> 00:30:18.400
in some of the tables. I was able to isolate it to one of two pages that had this vulnerability.

00:30:18.400 --> 00:30:25.840
I visited those pages and they looked okay; nothing was out of whack or funky.

00:30:25.840 --> 00:30:33.840
No errors were being displayed or anything like that. I thought let me just move these files

00:30:33.840 --> 00:30:38.800
and move them out of the way so they’re not accessible anymore.

00:30:38.800 --> 00:30:42.720
JACK: Clay determined that a couple of pages on this website were probably

00:30:42.720 --> 00:30:47.600
where the hacker got in, so he just took those pages offline, making it so further intrusions

00:30:47.600 --> 00:30:52.720
couldn’t occur. Removing how this person got in is one thing, but it doesn’t remove them

00:30:52.720 --> 00:30:57.920
from your server. The root user was still logged into the server but if Clay kicks them out now,

00:30:57.920 --> 00:31:02.640
they probably couldn’t get back in. CLAY: Tried to su the root at some point

00:31:02.640 --> 00:31:07.520
during this whole thing and I couldn’t. I knew they had changed the password.