WEBVTT

00:00:00.000 --> 00:00:04.620
JACK: [BACKGROUND NOISE] When you go into a bank you see all kinds of physical security checks.

00:00:04.620 --> 00:00:09.780
There are thick panes of glass between the tellers and customers, vaults with a large heavy door,

00:00:09.780 --> 00:00:14.730
cameras everywhere, a security guard is walking around. But do you think about ways you could

00:00:14.730 --> 00:00:21.300
bypass all of that? You might notice a back door to the bank and wonder if it’s unlocked, or the

00:00:21.300 --> 00:00:27.390
door between the tellers and customers is so short that you could jump over it. Or maybe you see a

00:00:27.390 --> 00:00:33.360
blind spot in the way the cameras are pointing. In this episode we’re going to test the physical

00:00:33.360 --> 00:00:40.260
security of a bank but our goal isn’t to steal cash. It’s to get access to the teller’s computer.

00:00:40.260 --> 00:00:45.770
JACK (INTRO): [INTRO MUSIC] This is Darknet Diaries, true stories

00:00:45.770 --> 00:00:53.520
from the dark side of the internet. I’m Jack Rhysider. [INTRO MUSIC ENDS]

00:00:53.520 --> 00:00:58.601
JACK: In this episode we’re going to hear a story from Jason E. Street.

00:00:58.601 --> 00:00:58.620
JASON: What’s up.

00:00:58.620 --> 00:01:03.240
JACK: Jason is one of those guys who has endless stories of incredible things that have happened

00:01:03.240 --> 00:01:08.820
to him. He’s also a Diet Pepsi addict. When you talk to him you hear him say random things like…

00:01:08.820 --> 00:01:11.640
JASON: It’s never drinking the Diet Pepsi that gets me. It’s usually trying

00:01:11.640 --> 00:01:16.635
to get rid of the Diet Pepsi that gets me. I almost died peeing off a cliff in Bulgaria.

00:01:16.635 --> 00:01:19.860
JACK: While I was talking to him I was kind of curious to hear the back story

00:01:19.860 --> 00:01:24.120
of all these little footnotes that he was throwing at me, but it didn’t take long

00:01:24.120 --> 00:01:27.660
before I heard him say something that I just had to hear the whole story.

00:01:27.660 --> 00:01:31.770
JASON: I accidentally robbed the wrong bank the last time I was in Beirut.

00:01:31.770 --> 00:01:38.370
JACK: Jason started out in law enforcement but for almost the last twenty years he’s been working in

00:01:38.370 --> 00:01:43.110
InfoSec. He’s done considerable work defending the network but he’s also done numerous penetration

00:01:43.110 --> 00:01:49.800
tests. One of his favorite things to do is what he calls Security Awareness Engagement. He’s hired by

00:01:49.800 --> 00:01:54.660
companies to test the physical security of a place. For instance, it shouldn’t be possible

00:01:54.660 --> 00:01:59.460
for a guy to just walk off the street, walk [FOOTSTEPS] right into an office, walk directly

00:01:59.460 --> 00:02:05.640
past reception, sit down at a random computer, and do work and then walk out. [DOOR CLOSES] He

00:02:05.640 --> 00:02:10.020
should be stopped, right? A door should be locked, reception should not let him pass,

00:02:10.020 --> 00:02:15.810
and the computer should be locked. Then someone should notice that he shouldn’t be there. This is

00:02:15.810 --> 00:02:20.310
what should stop him but companies hire Jason to actually test if this kind of thing is possible.

00:02:20.310 --> 00:02:23.520
JASON: When I do these engagements they’re not red team engagements.

00:02:23.520 --> 00:02:27.630
They’re not pin-testing. They’re literally security awareness engagements. I don’t

00:02:27.630 --> 00:02:31.260
mind getting caught and if I don’t get caught, I try to get caught by the end

00:02:31.260 --> 00:02:34.710
of the engagement because I’m trying to teach the employees how to be better.

00:02:34.710 --> 00:02:39.570
JACK: While you listen to this story you may question the legitimacy of what he’s saying.

00:02:39.570 --> 00:02:46.080
I know I have. So I will be providing photos and videos of him doing these things. You can check

00:02:46.080 --> 00:02:50.730
out the show notes to see these. The stories you’re about to hear were all captured by his

00:02:50.730 --> 00:02:56.220
wrist camera, a button camera on his jacket, or closed-captioned cameras in the bank itself. In

00:02:56.220 --> 00:03:00.480
fact, there’s even an episode of National Geographic that filmed him doing some of

00:03:00.480 --> 00:03:06.150
the stuff he’ll talk about. I’ve fact-checked the story as best I can and amazingly enough,

00:03:06.150 --> 00:03:13.970
it checks out. [MUSIC] A few years back, a bank hired him to do one of these security

00:03:13.970 --> 00:03:20.120
awareness engagements. They wanted him to test the physical security of a bank in Beirut. Jason got

00:03:20.120 --> 00:03:26.780
on a flight and headed to the Middle East. Beirut is the capital city of Lebanon which is nestled

00:03:26.780 --> 00:03:31.880
between Syria and Israel and has lovely views of the Mediterranean Sea. The main language is

00:03:31.880 --> 00:03:37.160
Arabic but they also speak French and English. Jason arrives at the bank headquarters. It’s

00:03:37.160 --> 00:03:41.810
a tall building at least thirty stories high. There’s a bank branch on the ground floor. The

00:03:41.810 --> 00:03:46.760
other floors are the bank’s offices. Jason heads up to the twentieth floor to a conference room.

00:03:46.760 --> 00:03:55.640
JASON: Okay, so I started off with a meeting that morning with a guy who wasn’t too – very impressed

00:03:55.640 --> 00:04:01.430
with me, to say the least. I’m not good at making a good first impression for some reason. He’s

00:04:01.430 --> 00:04:07.250
just being very condescending ‘cause I’m American and I’m you know, weird and all that. He’s like,

00:04:07.250 --> 00:04:09.380
I don’t know if we’re going to be able to – [inaudible] going to be able to fall for

00:04:09.380 --> 00:04:13.970
that, [00:05:00] or what do you need for us to help you? I’m like, you know what,

00:04:13.970 --> 00:04:19.940
why don’t I just go downstairs right now and compromise your branch downstairs? He’s like,

00:04:19.940 --> 00:04:24.680
what? So we went downstairs and I compromised his whole entire branch,

00:04:24.680 --> 00:04:33.620
even was behind his teller line. He was not thrilled with that. But then I sort of

00:04:33.620 --> 00:04:36.830
shot myself in the foot a little bit because now they’re like okay, well you’re so good,

00:04:36.830 --> 00:04:42.710
we want you to see if you can get actual network compromise. I’m like, well how would I show

00:04:42.710 --> 00:04:48.230
network compromise from physically stealing stuff? I will get us a user ID, a password, a smart card,

00:04:48.230 --> 00:04:56.060
a computer, and network access. We’ll give you three chances in three different branches. You go

00:04:56.060 --> 00:05:03.470
and do what you can to do that. This was like, sure, whatever. We’ll see what happens. Yolo.

00:05:03.470 --> 00:05:08.100
JACK: [MUSIC] Jason doesn’t like to do a lot of recon before a mission like this.

00:05:08.100 --> 00:05:11.970
If he’s working with another person on the mission and they start planning and

00:05:11.970 --> 00:05:14.970
plotting and prepping for the break-in, Jason will just say…

00:05:14.970 --> 00:05:17.820
JASON: Can’t I just walk in and be adorable? That seems to work with me.

00:05:17.820 --> 00:05:19.770
JACK: Jason gets suited up.

00:05:19.770 --> 00:05:23.850
JASON: I’m wearing a leather jacket that says Defcon on it, red Thundercat tennis shoes, a

00:05:23.850 --> 00:05:28.650
khaki shirt, and a collared shirt but with a badge that has their lanyard which I could have gotten

00:05:28.650 --> 00:05:34.860
anywhere, the trash, whatever, with a card that’s just a blank card that looks like a HID card.

00:05:34.860 --> 00:05:37.800
JACK: He likes to wear what he calls his vest of doom,

00:05:37.800 --> 00:05:40.290
which contains a few essentials needed for this mission.

00:05:40.290 --> 00:05:49.380
JASON: Usually it’s a pwn plug, it’s a USB rubber ducky, it may be a Proxmark3 tool, a couple

00:05:49.380 --> 00:05:55.470
Dropboxes, just some malicious things to show them the damage that I could do. I never really

00:05:55.470 --> 00:06:00.150
execute code. I never really do any kind of the actual – exploit the vulnerabilities. I’m

00:06:00.150 --> 00:06:04.890
doing it just to show what the potential is. Remember, I’m not trying to get a red team.

00:06:04.890 --> 00:06:08.700
I’m not trying to do red team. I’m not trying to exploit them. I’m not trying to show their

00:06:08.700 --> 00:06:11.970
vulnerabilities. I’m trying to educate them on the dangers that actually exist.

00:06:11.970 --> 00:06:16.320
JACK: Jason is all set now, so he gets picked up by the driver and is taken to the bank.

00:06:16.320 --> 00:06:24.210
JASON: I go to the first branch and I literally just walk in. I walk in and I walk exactly like

00:06:24.210 --> 00:06:31.320
I know where I’m going. I walk past the executive. I walk to this manager’s office where he’s talking

00:06:31.320 --> 00:06:38.520
to someone. He doesn’t see me look in so I pause right outside his door but before I

00:06:38.520 --> 00:06:43.374
get back to the– the executive can see me, and I wait there for about thirty seconds. [MUSIC]

00:06:43.374 --> 00:06:49.950
JACK: This pause he’s doing is important. He didn’t go immediately to the tellers. Instead

00:06:49.950 --> 00:06:55.260
he went in the opposite direction to a hall with offices. He’s hovering just outside the manager’s

00:06:55.260 --> 00:06:59.610
office because he wants to look like he’s meeting with the manager, so that when he moves to the

00:06:59.610 --> 00:07:04.230
next location in the bank, he’s hoping someone will see him coming from the manager’s office.

00:07:04.230 --> 00:07:10.440
JASON: Then I walked from there straight into the executive’s office. Her first impression has gotta

00:07:10.440 --> 00:07:16.120
be that I just finished talking to the manager. I tell her that yeah, I’m here with the auditor.

00:07:16.120 --> 00:07:21.700
We’re doing an audit on the computer systems from head office. I need to look at the computer.

00:07:21.700 --> 00:07:26.140
JACK: Because it looked like he had just come out of the manager’s office, she bought the

00:07:26.140 --> 00:07:31.600
story and let him use her computer. The first thing he does is plug a rubber ducky into her

00:07:31.600 --> 00:07:37.390
machine. Rubber ducky looks just like any other regular USB stick but it’s actually an incredibly

00:07:37.390 --> 00:07:42.340
dangerous tool. When it’s plugged into a computer it tells the computer that it’s a keyboard and

00:07:42.340 --> 00:07:47.350
rubber ducky then proceeds to send pre-recorded keyboard commands to the computer. Rubber ducky

00:07:47.350 --> 00:07:51.790
can be configured to create a remote control session to that computer. By simply plugging

00:07:51.790 --> 00:07:56.620
it into a computer for only a few seconds it can give a hacker full control of that machine

00:07:56.620 --> 00:08:02.980
from a remote location. But Jason’s rubber ducky only opens a notepad and types the word ‘Hello’

00:08:02.980 --> 00:08:07.450
in it because he doesn’t want to actually hack into the machine; he just wants to test if the

00:08:07.450 --> 00:08:13.450
machine is hackable. Once he sees Notepad pop up he takes a picture of the screen with his iPad,

00:08:13.450 --> 00:08:17.365
and then takes the mouse, closes the window, and unplugs the rubber ducky.

00:08:17.365 --> 00:08:23.440
JASON: I’ve plugged in the device. Now I’m golden because now people are seeing me come out of her

00:08:23.440 --> 00:08:27.580
office after coming out of the manager’s office. I go to this other lady that’s beside the teller

00:08:27.580 --> 00:08:31.930
line. She made eye contact with me as I left so I stayed straight-on eye contact with her,

00:08:31.930 --> 00:08:36.640
went to her desk, and I tell her hey, look, I’m doing an audit on the machines from head office.

00:08:36.640 --> 00:08:41.260
I need to go through all these machines. Got her to let me compromise her machine. So she

00:08:41.260 --> 00:08:45.100
thinks now – she’s bought into the whole thing so she walks me behind the teller

00:08:45.100 --> 00:08:50.530
line and then I then proceed to compromise the teller that’s behind there. That took a whole

00:08:50.530 --> 00:08:54.790
two minutes and twenty-something seconds from walking in the door from the very first time.

00:08:54.790 --> 00:09:00.640
JACK: At this point Jason is now hanging out behind the teller line in the bank. He’s asked

00:09:00.640 --> 00:09:04.720
tellers if they can move out of the way while he plugs in his rubber ducky into their computer, and

00:09:04.720 --> 00:09:08.740
then he takes control of their mouse and begins using it. It didn’t take him long to do this to

00:09:08.740 --> 00:09:13.600
every computer [00:10:00] behind the teller line. After he touches every computer he sees, he starts

00:09:13.600 --> 00:09:18.100
messing around with the other electronics like scanners, printers, monitors, everything. At one

00:09:18.100 --> 00:09:22.270
point while he was only a couple feet away from the teller, a person was making a large deposit.

00:09:22.270 --> 00:09:28.030
JASON: Yeah, I took pictures of that, actually. He was depositing $250,000

00:09:28.030 --> 00:09:31.690
in cash. I could have reached out and touched it. One of the executives that was there watching this

00:09:31.690 --> 00:09:37.210
go down actually wanted me at one point to go and steal the money because I was getting everything,

00:09:37.210 --> 00:09:42.820
because about five minutes after I was behind the teller line. I was there for almost thirty

00:09:42.820 --> 00:09:47.590
minutes. I was behind the teller line and at all the different offices. I totally compromised this

00:09:47.590 --> 00:09:53.110
whole facility and had full carte blanche. The manager shows up at about ten minutes, fifteen

00:09:53.110 --> 00:10:00.820
minutes after I was already doing everything and I then – he assumes everybody was – verified me,

00:10:00.820 --> 00:10:08.380
so I’m safe. Everybody thought that he verified me, so therefore I was safe. No one actually

00:10:08.380 --> 00:10:13.630
verified me. It took crosstalk between the two. I get one to think that the other one verified me.

00:10:13.630 --> 00:10:18.490
JACK: At this point Jason had established himself so well that the manager asked him to take a look

00:10:18.490 --> 00:10:22.870
at a computer problem they’ve been having. Jason said in order to help he’s going to need a user

00:10:22.870 --> 00:10:28.660
ID, a password, and a smart card. So they gave it to him. Jason looked at the problem for a minute

00:10:28.660 --> 00:10:32.800
and told them he’ll just replace that computer with a new one. The manager was thrilled to hear

00:10:32.800 --> 00:10:37.480
this news and asked him to take a look at the scanner and monitors, too. Jason decided to

00:10:37.480 --> 00:10:40.960
just tell him that headquarters is planning to do a full refresh of all the equipment,

00:10:40.960 --> 00:10:46.630
which was a total lie. The manager reacted to this like a kid getting presents on his birthday.

00:10:46.630 --> 00:10:52.570
JASON: I tell him that I’m here to help do a restore and a rebuild of their – remodel of their

00:10:52.570 --> 00:10:57.640
office, their branch. He lets me do everything except for going to the vault. It’s like,

00:10:57.640 --> 00:11:01.660
that’s the only place he wouldn’t let me go into ‘cause there was no phone lines or jacks or any

00:11:01.660 --> 00:11:05.470
kind of internet devices in there. Though I asked and said are you sure? Let me take

00:11:05.470 --> 00:11:12.400
a look. While I was there I got the user ID, the password, and the smart card from one of

00:11:12.400 --> 00:11:18.940
the main supervisors. I successfully got three of the things in the first branch.

00:11:18.940 --> 00:11:22.390
JACK: Jason kept trying to push the limits of what he was allowed

00:11:22.390 --> 00:11:26.740
to do. He began taking things out of the building.

00:11:26.740 --> 00:11:32.350
JASON: I literally left the branch about three times. I walked out with all the documentation

00:11:32.350 --> 00:11:40.195
underneath the teller’s desk, their notepads, I walked out with that. Then I got all the – I got

00:11:40.195 --> 00:11:44.740
his user ID, password, badge, let me work on the machine, then I walked away with his badge saying

00:11:44.740 --> 00:11:50.350
I need to use this to go test something. I left with that. Then there was something else that I

00:11:50.350 --> 00:11:57.100
took, and I left with that. I left the building three times. The branch was so horrible on their

00:11:57.100 --> 00:12:02.440
response, I literally waited in there until the whole branch was closed for the day and

00:12:02.440 --> 00:12:09.610
then I had everybody come around and had the executive that was with me actually translate

00:12:09.610 --> 00:12:15.280
everything into Arabic just to make sure everybody understood fully how bad the situation was and how

00:12:15.280 --> 00:12:20.350
bad I compromised them and what they need to do to be better protected and to be better aware

00:12:20.350 --> 00:12:24.940
of things like this in the future. That’s when they first became aware that I was a bad guy.

00:12:24.940 --> 00:12:30.250
JACK: The bank manager was still confused about who Jason was.

00:12:30.250 --> 00:12:34.480
JASON: He was like – it was like kicking a puppy. I felt so bad because after I took

00:12:34.480 --> 00:12:38.860
teaching everybody and training them what’s going on, he raised his hand

00:12:38.860 --> 00:12:43.540
during this whole all-hands meeting and he says what about the free computers? Do we

00:12:43.540 --> 00:12:48.730
still get the new computers? I’m like no, I was lying to you. I’m a horrible person.

00:12:48.730 --> 00:12:53.740
JACK: The next day Jason meets up with his driver to take him

00:12:53.740 --> 00:12:56.710
to the next branch. Jason has two objectives left;

00:12:56.710 --> 00:13:02.050
to steal a computer and to get network access. The driver drops him off outside the bank.

00:13:02.050 --> 00:13:08.860
JASON: [TRAFFIC SOUNDS] It was a glass building and there was a sign on the door. The sign on

00:13:08.860 --> 00:13:13.570
the door said something in French and Arabic. It had an arrow and I’m like,

00:13:13.570 --> 00:13:20.200
I have no idea what that means. I guess it meant go to the door next door, go to the next door. I’m

00:13:20.200 --> 00:13:25.660
walking and I go and I’m about to walk in the door and I hear the horn honking. [HORN HONKING] It’s

00:13:25.660 --> 00:13:31.390
just insistent. There’s a lot of traffic but this is actually – it got to the point right before I

00:13:31.390 --> 00:13:37.990
got in – I already targeted someone inside behind the teller line to go talk to. The horn honking

00:13:37.990 --> 00:13:43.180
was insistent so I turned around and looked to see who it was. Sure enough it was my guy who

00:13:43.180 --> 00:13:47.110
was driving me and I went up to him. He’s like, that’s the wrong bank. That’s the wrong bank. I

00:13:47.110 --> 00:13:52.480
was like yeah, but there’s a sign on the door. It says push the button for entry. I’m like oh,

00:13:52.480 --> 00:13:56.530
so I go back to the original door and I push the button and that lets me in.

00:13:56.530 --> 00:14:01.240
JACK: Jason is known for giving awkward hugs but if he would have gone into the wrong bank

00:14:01.240 --> 00:14:04.600
and tried to steal a computer from it, this would have been a whole new level

00:14:04.600 --> 00:14:09.190
of awkwardness that he would not have been prepared for. Luckily his [00:15:00] driver

00:14:09.190 --> 00:14:14.101
caught him before entering the wrong bank. He reset himself and went into the right bank.

00:14:14.101 --> 00:14:19.270
JASON: I felt bad about all the stuff I did in the first one so I vowed not to talk to

00:14:19.270 --> 00:14:26.920
anybody. [MUSIC] I just walked back, found the break room, got a little bit of water so that way,

00:14:26.920 --> 00:14:30.970
after a couple of minutes, I’m now approaching from a different direction. Instead of coming

00:14:30.970 --> 00:14:36.760
from the untrusted side, I’m now coming and approaching from the trusted side. It’s

00:14:36.760 --> 00:14:45.580
all psychological. I walk into the – behind this door that got me into the teller area,

00:14:45.580 --> 00:14:50.140
like a little circular kind of thing. I literally go up to the – beside the teller that’s actually

00:14:50.140 --> 00:14:54.760
conducting business beside me and without even saying a word to him I start unplugging

00:14:54.760 --> 00:14:59.860
the computer. Unplug it, disconnect everything, and I walk out with it.

00:14:59.860 --> 00:15:01.780
JACK: How is that possible?

00:15:01.780 --> 00:15:07.120
JASON: Because what kind of crazy person walks into a freaking branch and steals a

00:15:07.120 --> 00:15:11.680
computer? Besides me, that is. It was a small computer, in their defense.

00:15:11.680 --> 00:15:16.990
JACK: Now Jason has four of the five objectives complete and has one branch left.

00:15:16.990 --> 00:15:22.810
The last objective is to get network access. The driver takes Jason to the last branch. [MUSIC]

00:15:22.810 --> 00:15:28.300
JASON: That was the simplest. I just walked up and there was a lady cleaning

00:15:28.300 --> 00:15:31.330
offices. I tell her I need to get into the network halls. I’m doing some work

00:15:31.330 --> 00:15:36.730
for headquarters. She just opened the door. That was very anticlimactic at that point.

00:15:36.730 --> 00:15:38.470
JACK: Why did that work?

00:15:38.470 --> 00:15:44.380
JASON: Because they don’t associate that with money. That’s just a network closet.

00:15:44.380 --> 00:15:48.970
I don’t have a ski mask, I don’t look threatening. I’m smiling and

00:15:48.970 --> 00:15:54.580
I’m laughing and joking around. I’m harmless. Why not let me in?

00:15:54.580 --> 00:15:58.000
JACK: He took a picture of himself in their networking room and all their

00:15:58.000 --> 00:16:01.960
networking equipment, then left that room and closed the door behind him and walked

00:16:01.960 --> 00:16:07.600
out of the bank. Jason had easily broken into three banks in three days and completed all

00:16:07.600 --> 00:16:13.090
five of his objectives. He met back up with the executives that hired him. Their response was…

00:16:13.090 --> 00:16:18.580
JASON: Shocked. Literally, they were flabbergasted. It was just unbelievable

00:16:18.580 --> 00:16:21.490
to them that that occurred. They were like, this cannot be real.

00:16:21.490 --> 00:16:29.170
JACK: [MUSIC] A few years pass. Jason gets another call for another security awareness

00:16:29.170 --> 00:16:33.940
engagement. This time it’s a different bank in Beirut so he heads back out there.

00:16:33.940 --> 00:16:36.424
JASON: I was hired to…

00:16:36.424 --> 00:16:38.530
JACK: Of course he has to have a Diet Pepsi while he tells the story.

00:16:38.530 --> 00:16:45.040
JASON: I was hired to rob a bank there for this one bank. There’s a problem with – there’s a lot

00:16:45.040 --> 00:16:50.830
of banks in Beirut so I was doing this one engagement. We started out that morning. It

00:16:50.830 --> 00:16:57.430
was very successful. We started off with a success. Then the one that we totally

00:16:57.430 --> 00:17:03.820
compromised started sending out phone calls to other people to warn them about me. I was

00:17:03.820 --> 00:17:08.470
a little upset. We were going one off-script to a branch that they didn’t know about,

00:17:08.470 --> 00:17:15.040
hoping that we’d be able to get them unawares. I’d already drunk a 1.5 litre bottle of Diet

00:17:15.040 --> 00:17:20.500
Pepsi already which usually leads me to problems. I had to go really bad and

00:17:20.500 --> 00:17:24.670
the guy’s telling me that – the guy who’s the liaison for the engagement is telling me okay,

00:17:24.670 --> 00:17:31.150
go down this sidewalk. Toward the end, it’s right there. Just go in and I’ll be in there two minutes

00:17:31.150 --> 00:17:39.190
after you because he’s my get out of jail free card. So, I go down. All I’m thinking about,

00:17:39.190 --> 00:17:43.420
literally – I’m looking at other stores and other places if I can find one with a restroom. I’ll

00:17:43.420 --> 00:17:46.600
go into it first so I wouldn’t go into the bank already having to go to the restroom.

00:17:46.600 --> 00:17:52.360
But I couldn’t find one. I see the branch. I don’t look at the sign [inaudible]. It’s got tellers,

00:17:52.360 --> 00:17:58.030
it’s the bank I’m supposed to go into. I get into it. I know that the bathrooms in Europe and a lot

00:17:58.030 --> 00:18:01.480
of other countries, they’re either on the second floor or in the basement. They’re never on the

00:18:01.480 --> 00:18:07.180
first floor. I automatically look for the stairs for going up or down. I find some stairs going

00:18:07.180 --> 00:18:15.010
up. Second floor, sure enough, right there is the bathroom. I’m really happy about that. I use the

00:18:15.010 --> 00:18:19.420
bathroom, I come back down. I’m at the head of the stairs, at the top of the stairs and I’m looking

00:18:19.420 --> 00:18:24.385
down. I see two people working in a cube. I’m like well, I’m supposed to start working. [MUSIC]

00:18:24.385 --> 00:18:29.350
So I go down there, tell them I’m with Microsoft, show them my fake Microsoft badge,

00:18:29.350 --> 00:18:35.440
plug in the [00:20:00] rubber ducky, compromise their machine. This screen pops up. The window

00:18:35.440 --> 00:18:41.980
text document pops up saying hey, this shouldn’t have happened. Then I go to the next one and I

00:18:41.980 --> 00:18:47.110
compromise that machine. I’ve already succeeded. I’m already done. The whole engagement’s already

00:18:47.110 --> 00:18:52.720
completed. I’ve already compromised their network. The security awareness engagement, the success is

00:18:52.720 --> 00:19:00.490
plugging it into one device ‘cause one device is all it takes to compromise the network. Everything

00:19:00.490 --> 00:19:06.910
else is gravy and teaching experiences for the employees, because I compromise all the employees

00:19:06.910 --> 00:19:11.830
and then I go back and I talk to all the employees and tell them what I did and what they did wrong

00:19:11.830 --> 00:19:20.110
that allowed me to do what I did. I get the second one and I’m really happy now. I’m feeling relaxed.

00:19:20.110 --> 00:19:23.980
Then this guy comes up to me when I’m going to the third one and he says what are you doing

00:19:23.980 --> 00:19:28.330
here? I’m like oh, I’m here with Microsoft. I’m doing a USB audit where I can – because

00:19:28.330 --> 00:19:32.470
the merging of acquisitions. This was supposed to be very hush-hush. I show him this forged e-mail

00:19:32.470 --> 00:19:37.180
on an iPad. You always do it on an iPad because that makes it look legit. If it was on paper,

00:19:37.180 --> 00:19:40.660
it could be just printed out. I put it on the iPad so it would look more legit. I

00:19:40.660 --> 00:19:48.850
show him this forged e-mail that’s from the CFO of the bank who’s actually also

00:19:48.850 --> 00:19:58.750
the daughter of the owner of the bank, giving me authorization to do this audit. They said well,

00:19:58.750 --> 00:20:03.370
you’ve got to talk to the supervisor for that. I’m like okay, ‘cause I’ve already won so all

00:20:03.370 --> 00:20:10.720
I have to do now is just escape. I go to the supervisor and I show her the e-mail. Now,

00:20:10.720 --> 00:20:15.010
this get out of jail free card, this forged e-mail has two options that I knew of;

00:20:15.010 --> 00:20:24.190
option one was they read it and they go okay. This looks totally legit. Option two and they go yeah,

00:20:24.190 --> 00:20:28.780
this looks sketchy. I’m going to need some more documentation. I need to call someone. Then I go

00:20:28.780 --> 00:20:34.180
and say very innocently and adorably like hey, do you need more paperwork? ‘Cause I have some

00:20:34.180 --> 00:20:38.650
more paperwork in my car. I can go and get that. Then they let me leave and that’s a

00:20:38.650 --> 00:20:42.580
find because they’ve allowed me to escape after they realize something suspicious is going on.

00:20:42.580 --> 00:20:48.670
Well, it turns out there’s a third option. This third option was not known to me or

00:20:48.670 --> 00:20:52.750
even conceived in me for a very long time, because I had just never – it

00:20:52.750 --> 00:20:57.460
just never crossed my mind. But the third option is when the lady reads the e-mail,

00:20:57.460 --> 00:21:03.010
looks at me very sternly and very upset and says, “This is for the bank next door. What

00:21:03.010 --> 00:21:08.740
are you doing in here and what did you plug into our computers?” I kid you not,

00:21:08.740 --> 00:21:14.170
the first thing I said – I mean, I could have done all these pretexts, I could have done all

00:21:14.170 --> 00:21:19.210
this other – but I was not prepared for that. I just looked at her dead in the eyes and said like,

00:21:19.210 --> 00:21:35.515
this is unfortunate. This is unfortunate. Yeah, I got nothing. I should not be here. [MUSIC]

00:21:35.515 --> 00:21:41.650
About two minutes later I’m in the bank manager’s office. Don’t even ask me how I got there. I’m

00:21:41.650 --> 00:21:45.940
sitting down in this chair. Six people were speaking Arabic very angrily around me and I’m

00:21:45.940 --> 00:21:53.170
like, this is not a good thing. I start to panic a little bit and I’m like guys, it’s just a – it

00:21:53.170 --> 00:21:58.990
opens up a text document. It’s totally fine. I’m doing an engagement. This is what I do. I said

00:21:58.990 --> 00:22:04.600
look, and I plugged the USB drive into the bank manager’s computer, which I thought at the time

00:22:04.600 --> 00:22:09.490
was a very good idea. It popped up the notepad. It showed that this is all it said. Then I look

00:22:09.490 --> 00:22:15.820
behind me and I see their faces and I’m like, oh yeah. I just compromised another machine but with

00:22:15.820 --> 00:22:22.660
more witnesses. This is unfortunate. That did not work out as well as I thought it would be.

00:22:22.660 --> 00:22:29.650
I literally even got to the point where I was just like, you can Google me. I’m known for this stuff.

00:22:29.650 --> 00:22:35.470
They’re very unhappy. By that time the representative from the company that hired me,

00:22:35.470 --> 00:22:42.940
he found out where I was at ‘cause he realized I had not shown up in the branch that I was supposed

00:22:42.940 --> 00:22:46.990
to be at. He didn’t know where I was. He thought I was in the back room compromising everything

00:22:46.990 --> 00:22:52.990
there ‘til finally he realized wait, something’s off, and then went looking for me. He found me

00:22:52.990 --> 00:22:57.880
and then he was able to start talking to them in Arabic and English and French ‘cause it’s a

00:22:57.880 --> 00:23:04.590
mixture. They speak all three languages fluently. He’s talking to them; he’s trying to explain to

00:23:04.590 --> 00:23:08.520
them what’s going on. Then finally they were like okay, you have to go to the head office

00:23:08.520 --> 00:23:14.760
with an escort so the head security team can go and look at this payload and make sure that

00:23:14.760 --> 00:23:19.434
it’s not something malicious or what’s going on. So we drive to the head office. [MUSIC]

00:23:19.434 --> 00:23:25.740
JACK: Jason is now being escorted by car to the headquarters of a

00:23:25.740 --> 00:23:29.365
bank that he accidentally broke into. He was starting to get pretty worried.

00:23:29.365 --> 00:23:36.330
JASON: It was not going well. I [00:25:00] was a little nervous. I have to be honest with you;

00:23:36.330 --> 00:23:40.680
I don’t know the condition of Lebonese prisons

00:23:40.680 --> 00:23:47.310
but I don’t want to ever find out. I’ve never watched Locked Up Abroad,

00:23:47.310 --> 00:23:56.610
thankfully. I was a little nervous. I literally, legit technically did bad things.

00:23:56.610 --> 00:24:02.700
JACK: While he didn’t actually do anything malicious to a computer,

00:24:02.700 --> 00:24:06.840
he did cross the line for where he shouldn’t have been physically and he

00:24:06.840 --> 00:24:10.560
lied to the employees about why he was there. The situation would have been a

00:24:10.560 --> 00:24:15.300
lot worse if he had actually tried to take a computer out of the building. Lucky for him,

00:24:15.300 --> 00:24:19.500
the USB rubber ducky he was plugging in did not actually do anything bad to their

00:24:19.500 --> 00:24:24.210
computers. He kept trying to explain himself as they drove him to the bank’s headquarters but

00:24:24.210 --> 00:24:27.960
they still wanted their security team to check out the rubber ducky and question him further.

00:24:27.960 --> 00:24:33.990
JASON: I get into the head office [MUSIC] and I get to their floor and we find some other security

00:24:33.990 --> 00:24:37.650
vulnerabilities because they allowed us to walk around unescorted into areas they shouldn’t have,

00:24:37.650 --> 00:24:48.060
which was another finding. I finally get into the security department’s office and I literally, I’m

00:24:48.060 --> 00:24:54.930
doing the best I can to be as adorable as I can. I’m making jokes about having to pee. I’m making

00:24:54.930 --> 00:25:00.870
jokes about everything. I’m trying to be all disarming. Luckily we had the rubber ducky sticker

00:25:00.870 --> 00:25:05.250
still on the rubber ducky, when usually I take it out of the casing to make it look sketchier,

00:25:05.250 --> 00:25:09.970
which luckily I did not do this time. They were able to Google rubber ducky. They were able to

00:25:09.970 --> 00:25:18.010
see that it was a testing tool. They interrogated – it was like, four hours it seemed like. [MUSIC]

00:25:18.010 --> 00:25:29.740
I actually spent at least two of the hours giving them educational training, consulting

00:25:29.740 --> 00:25:35.170
with them on all the things they did wrong that allowed me to successfully do what I did. When

00:25:35.170 --> 00:25:40.210
the Director of Security came in, I talked to him. I did some of the same old jokes to him,

00:25:40.210 --> 00:25:47.440
trying to disarm him. He calls the guy who hired us to rob the bank. They start talking and halfway

00:25:47.440 --> 00:25:53.410
through the conversation he literally says do we have to split the cost for this? At that point I

00:25:53.410 --> 00:26:02.830
realized it was probably going to be okay. As I’m leaving I tell them as I’m going out the door,

00:26:02.830 --> 00:26:07.690
I’m like we’re good, right? We’re okay. I gave you some consulting and I clinked

00:26:07.690 --> 00:26:11.500
my wrists together like, I don’t go to jail, we’re good, right? Yeah, we’re good,

00:26:11.500 --> 00:26:15.940
we’re good, you can go. I’m like good, I’m getting the F out and I left and I did not

00:26:15.940 --> 00:26:24.940
breathe a good sigh of relief until I was on a plane to Paris like, three days later.

00:26:24.940 --> 00:26:30.670
Who hasn’t robbed the wrong bank before? Mistakes happen. I did find out the next day

00:26:30.670 --> 00:26:34.690
that as soon as I left they closed that branch and did a forensic wipe on all their machines,

00:26:34.690 --> 00:26:38.830
which actually I’m not even mad, I can’t even blame them. That was probably a pretty good idea.

00:26:38.830 --> 00:26:45.190
JACK: Before leaving Beirut, Jason did find the right bank and successfully broke into

00:26:45.190 --> 00:26:49.210
it and gained access to all the computers in the first branch, including each of the

00:26:49.210 --> 00:26:54.010
tellers’ machines. In fact, that break-in he did was documented by National Geographic for

00:26:54.010 --> 00:26:57.970
an episode of a show called Breakthrough. He was tasked with breaking into three branches

00:26:57.970 --> 00:27:01.990
and he had no problem with two. One of the employees in the third branch stopped him

00:27:01.990 --> 00:27:07.030
from touching the computer. He showed them the forged e-mail on his iPad. The employee didn’t

00:27:07.030 --> 00:27:11.860
buy it and was suspicious. Jason said he had more documentation in the car and asked if he should

00:27:11.860 --> 00:27:18.280
go get it. The employee said yes. This allowed Jason to escape the branch. He was stopped but

00:27:18.280 --> 00:27:22.900
not caught. He was proud of them for stopping him and made sure to speak highly of them in

00:27:22.900 --> 00:27:27.910
his report for being good at stopping him. How can we protect ourselves from people like you?

00:27:27.910 --> 00:27:32.920
JASON: By letting people know that it is okay for them to be suspicious when someone walks in,

00:27:32.920 --> 00:27:38.950
that they need to call someone to verify when someone new is around, that robbers don’t just

00:27:38.950 --> 00:27:45.010
carry ski masks and shotguns but they also have suits and USB drives. I think that’s

00:27:45.010 --> 00:27:50.380
the key thing, is that be wary of certain e-mails that look like they’re coming from

00:27:50.380 --> 00:27:55.390
– that have a link and an attachment should actually up your suspicious level by you know,

00:27:55.390 --> 00:28:00.790
9,000 no matter what. No matter if you were expecting it or anything. You should always

00:28:00.790 --> 00:28:05.440
be cautious with it. You should always check and double check with the sender to make sure

00:28:05.440 --> 00:28:11.230
that’s what you were looking for. Also, when you see people new that are coming in or are saying

00:28:11.230 --> 00:28:15.460
that they’re going to be doing work in your area, there is no harm in verifying that and

00:28:15.460 --> 00:28:21.790
you never let someone follow you in with your ID and badge, using your access to get into

00:28:21.790 --> 00:28:26.170
the building. They should have their own access and get in themselves. We want to be polite. We

00:28:26.170 --> 00:28:32.710
don’t want to be rude. You have to not be rude but you have to be firm. [00:30:00]

00:28:32.710 --> 00:28:36.580
This is a security policy; this isn’t my decision, but this is a security policy.

00:28:36.580 --> 00:28:40.120
JACK: Thank you Jason, for coming on the show and sharing you story with us.

00:28:40.120 --> 00:28:42.430
JASON: Kudos for you for doing this and trying to

00:28:42.430 --> 00:28:50.020
get more information out there. That’s the key thing. We win by informing and

00:28:50.020 --> 00:28:53.990
giving knowledge out to others. You may not know what the threats are.

00:28:53.990 --> 00:29:04.900
JACK: [OUTRO MUSIC] You’ve been listening to Darknet Diaries. You can find photos,

00:29:04.900 --> 00:29:07.630
videos, and more information about Jason in the

00:29:07.630 --> 00:29:13.240
show notes at darknetdiaries.com. Music is provided by Ian Alex Mac and Jahzzar.