WEBVTT 00:00:02.169 --> 00:00:06.849 JACK: [MUSIC] Hey, it’s Jack, host of the show. 00:00:06.849 --> 00:00:10.680 A few years back I went to Silicon Valley to do some training. 00:00:10.680 --> 00:00:13.020 While visiting, I decided to visit Google. 00:00:13.020 --> 00:00:15.750 I didn’t know anyone there and they didn’t know I was coming. 00:00:15.750 --> 00:00:19.039 I just wanted to park and walk around the building and see what it looked like. 00:00:19.039 --> 00:00:22.539 A co-worker and I used Google Maps and found it. 00:00:22.539 --> 00:00:25.560 There it was, the main headquarters for Google. 00:00:25.560 --> 00:00:30.850 Actually, they call it the Googleplex, the place where e-mails are stored, browsing history, 00:00:30.850 --> 00:00:33.699 map locations, it’s all there. 00:00:33.699 --> 00:00:36.899 Not to mention the source code for so many products, too. 00:00:36.899 --> 00:00:41.129 If that data isn’t in these buildings, the people who work in these buildings have access 00:00:41.129 --> 00:00:42.269 to that data. 00:00:42.269 --> 00:00:44.989 We find the place; we pull into the parking lot. 00:00:44.989 --> 00:00:47.179 No guard gate in the parking lot. 00:00:47.179 --> 00:00:48.179 Cool. 00:00:48.179 --> 00:00:52.280 We park the car and as soon as I get out, there’s a bunch of bicycles just parked 00:00:52.280 --> 00:00:53.280 everywhere. 00:00:53.280 --> 00:00:58.430 No chain or locks, and these bikes are all super colorful; red seat, yellow body, green 00:00:58.430 --> 00:00:59.559 fenders, blue handlebars. 00:00:59.559 --> 00:01:01.449 I’ve heard about these. 00:01:01.449 --> 00:01:03.379 These are the free Gbikes. 00:01:03.379 --> 00:01:07.870 Googleplex is so big and employees need to get across the campus so they put these free 00:01:07.870 --> 00:01:10.329 bikes everywhere for employees to ride. 00:01:10.329 --> 00:01:15.799 I have no idea why every single bike isn’t stolen every night from this place but whatever. 00:01:15.799 --> 00:01:19.520 My friend and I walk past these bikes and up to the Google offices. 00:01:19.520 --> 00:01:23.829 The campus reminds me of a university; instead of one giant office building, it’s many 00:01:23.829 --> 00:01:28.939 smaller buildings spread out all over the place with sidewalks going everywhere. 00:01:28.939 --> 00:01:32.140 We walk onto the campus between some buildings. 00:01:32.140 --> 00:01:34.460 We get among the buildings into a courtyard. 00:01:34.460 --> 00:01:39.590 There’s a sand volleyball court with a game being played right in front of me and I can 00:01:39.590 --> 00:01:43.530 see across the street, there’s a Google athletic field where a soccer game is going 00:01:43.530 --> 00:01:44.530 on. 00:01:44.530 --> 00:01:48.920 There are people on Google bikes just whizzing by us, and we found a giant android robot 00:01:48.920 --> 00:01:49.920 statue. 00:01:49.920 --> 00:01:52.780 I took a selfie and we hung out on the campus for a minute. 00:01:52.780 --> 00:01:56.719 A lot of engineers and technical people were just walking on past us. 00:01:56.719 --> 00:01:59.689 I wondered what they did. 00:01:59.689 --> 00:02:01.040 Security seemed nonexistent. 00:02:01.040 --> 00:02:06.710 I decided to go into one of the buildings so I followed someone inside an office. 00:02:06.710 --> 00:02:10.409 But it didn’t matter because there was no badge reader or security to keep me from just 00:02:10.409 --> 00:02:11.459 walking in by myself. 00:02:11.459 --> 00:02:12.600 It was weird. 00:02:12.600 --> 00:02:17.730 It was too easy, like I was walking into a trap or something so I just turned around 00:02:17.730 --> 00:02:18.730 and walked out. 00:02:18.730 --> 00:02:19.730 I went into another building. 00:02:19.730 --> 00:02:21.650 This was a cafeteria of some kind. 00:02:21.650 --> 00:02:25.650 It seemed like there was free food for employees and I don’t know but it seemed like anyone 00:02:25.650 --> 00:02:28.050 could just walk in and grab a burger. 00:02:28.050 --> 00:02:29.510 The experience was wild. 00:02:29.510 --> 00:02:33.879 I’ve never seen a corporate environment like this before and it made me question my 00:02:33.879 --> 00:02:35.020 lame office job. 00:02:35.020 --> 00:02:39.069 But it was super fun to visit the Googleplex. 00:02:39.069 --> 00:02:42.791 The next day after training, because we had so much fun at Google, my friend and I wanted 00:02:42.791 --> 00:02:45.659 to go to the Facebook campus to check it out. 00:02:45.659 --> 00:02:50.400 [MUSIC] Google Maps made it look like the campus was in the similar style; eleven buildings 00:02:50.400 --> 00:02:54.129 all spread out with a central courtyard and sidewalks everywhere. 00:02:54.129 --> 00:02:56.019 We cruise on in the parking lot. 00:02:56.019 --> 00:02:57.879 No fence or guards to keep us out. 00:02:57.879 --> 00:02:58.879 Cool. 00:02:58.879 --> 00:03:02.890 We park and here at Facebook, we see a ton of blue bikes. 00:03:02.890 --> 00:03:06.470 Just like at Google, these are free bikes for Facebook employees to use to get from 00:03:06.470 --> 00:03:07.870 building to building. 00:03:07.870 --> 00:03:10.519 We decided to try to go into one of the buildings. 00:03:10.519 --> 00:03:12.750 We walk on up, grab the handle. 00:03:12.750 --> 00:03:14.019 Door’s unlocked, right on. 00:03:14.019 --> 00:03:18.599 We go in but immediately a security guard asks us what our business is. 00:03:18.599 --> 00:03:20.860 We say we’re just here to use the bathroom. 00:03:20.860 --> 00:03:24.150 She tells us no and to leave; there’s no restroom here. 00:03:24.150 --> 00:03:27.950 We beg her to use the restroom but she says no, we have to go. 00:03:27.950 --> 00:03:33.409 We decided to walk around the buildings and try to find a way into this inner courtyard 00:03:33.409 --> 00:03:35.459 but this campus is a little different. 00:03:35.459 --> 00:03:40.319 Between each building is a high-security fence keeping you from going into the courtyard. 00:03:40.319 --> 00:03:42.010 We go around to the next building. 00:03:42.010 --> 00:03:43.830 Same thing; big fence, locked. 00:03:43.830 --> 00:03:44.980 Can’t get in. 00:03:44.980 --> 00:03:47.689 The next building, another fence locked. 00:03:47.689 --> 00:03:52.390 At this point I’m becoming really curious what’s in their center courtyard and amongst 00:03:52.390 --> 00:03:55.040 their buildings and I want to get in and see it. 00:03:55.040 --> 00:03:58.959 I say to my friend okay, the next gate we get to, if it’s locked, I’m gonna just 00:03:58.959 --> 00:04:01.079 wait there and tailgate someone in. 00:04:01.079 --> 00:04:03.870 He says okay and waits for me down at the end of the sidewalk. 00:04:03.870 --> 00:04:07.840 I stand near the gate looking at my phone, trying to be inconspicuous. 00:04:07.840 --> 00:04:08.840 Someone comes up to the gate. 00:04:08.840 --> 00:04:09.840 They swipe their badge. 00:04:09.840 --> 00:04:10.840 The gate opens. 00:04:10.840 --> 00:04:12.349 I follow him into the courtyard. 00:04:12.349 --> 00:04:13.609 Yes, it’s working! 00:04:13.609 --> 00:04:17.630 I close the gate behind me, then I realize I’m trapped. 00:04:17.630 --> 00:04:20.370 To get into the courtyard there’s another gate. 00:04:20.370 --> 00:04:23.760 You need to get through two different gates to get in. 00:04:23.760 --> 00:04:27.320 One uses a badge and the other uses something else. 00:04:27.320 --> 00:04:30.980 When the guy ahead of me saw that I tailgated him in, he quickly went through that second 00:04:30.980 --> 00:04:32.900 gate and closed it behind him. 00:04:32.900 --> 00:04:34.950 I was now stuck between the two gates. 00:04:34.950 --> 00:04:39.390 I couldn’t get into the courtyard because that gate was locked so my only option was 00:04:39.390 --> 00:04:43.420 to go back out the same gate I came in, so I did. 00:04:43.420 --> 00:04:46.970 Security at Facebook thwarted my half-assed attempt at getting in. 00:04:46.970 --> 00:04:53.460 Not bad, but if I was a professional social engineer, I bet this would have gone down 00:04:53.460 --> 00:04:55.330 totally differently. 00:04:55.330 --> 00:05:01.980 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark [00:05:00] side of the 00:05:01.980 --> 00:05:04.380 internet. 00:05:04.380 --> 00:05:08.980 I’m Jack Rhysider. 00:05:08.980 --> 00:05:13.130 This is Darknet Diaries. 00:05:13.130 --> 00:05:22.190 [INTRO MUSIC ENDS] 00:05:22.190 --> 00:05:28.170 JACK: Today we’re gonna hear from a social engineer named JekHyde. 00:05:28.170 --> 00:05:34.680 JEK: My name is JekHyde and I am a physical penetration tester and social engineer. 00:05:34.680 --> 00:05:42.800 I work with a Red Team of technical hackers and I gain physical access to buildings so 00:05:42.800 --> 00:05:48.860 that we can use that access to exploit their – maybe it’s personal information we’re 00:05:48.860 --> 00:05:52.750 after or credit cards, stuff we shouldn’t get our hands on. 00:05:52.750 --> 00:05:53.750 JACK: Yep, yep. 00:05:53.750 --> 00:05:54.750 You got it. 00:05:54.750 --> 00:05:57.370 JekHyde is gonna share a story with us about how she broke into a building. 00:05:57.370 --> 00:06:01.380 I always think it’s fun to tag along with these kind of stories and listen to what their 00:06:01.380 --> 00:06:02.900 job is like. 00:06:02.900 --> 00:06:05.090 JekHyde is her hacker name, you could say. 00:06:05.090 --> 00:06:08.740 Kind of like a play on the whole Dr. Jekyll and Mr. Hyde story. 00:06:08.740 --> 00:06:11.030 One person but two different personalities. 00:06:11.030 --> 00:06:13.780 But Jek wasn’t always doing this kind of work. 00:06:13.780 --> 00:06:22.100 JEK: I actually was introduced to this line of work while I was working as a journalist. 00:06:22.100 --> 00:06:28.030 I studied journalism in Dallas and I got involved with the Dallas Hackers Community because 00:06:28.030 --> 00:06:30.720 they were making some waves. 00:06:30.720 --> 00:06:36.560 I was introduced to the concept of penetration testing first and then a friend told me about 00:06:36.560 --> 00:06:42.860 physical penetration testing and I was like you get to break into buildings for a living? 00:06:42.860 --> 00:06:44.210 That’s crazy. 00:06:44.210 --> 00:06:47.970 He was like yeah, well I don’t particularly like to do it. 00:06:47.970 --> 00:06:54.130 It’s nerve-wracking and I have to lie to people and it’s just all kind of scary. 00:06:54.130 --> 00:06:58.941 I said well, if you get a job you don’t want, I would love to try my hand at it. 00:06:58.941 --> 00:07:03.770 I was almost kind of joking, half-joking. 00:07:03.770 --> 00:07:09.050 He was like oh, if you really mean it, I think I could probably get you on some jobs. 00:07:09.050 --> 00:07:12.900 I was like oh man, okay. 00:07:12.900 --> 00:07:18.780 JACK: [MUSIC] A security assessment company offered Jek a contractor assignment to try 00:07:18.780 --> 00:07:22.810 to physically break into a building that they had permission to test the security on. 00:07:22.810 --> 00:07:31.190 JEK: I went in to do this test and I got in on my first try which was wild to me at the 00:07:31.190 --> 00:07:34.560 time, because a secure facility is secure, right? 00:07:34.560 --> 00:07:39.190 That became clear to me that that wasn’t always the case. 00:07:39.190 --> 00:07:43.610 I got in and I got back out to my car and I called my friend back and I was like I need 00:07:43.610 --> 00:07:45.950 more of this in my life. 00:07:45.950 --> 00:07:47.200 I’m addicted. 00:07:47.200 --> 00:07:51.970 [MUSIC] I’ve been doing this for three or four years now. 00:07:51.970 --> 00:07:57.080 JACK: But the thing that surprises me about that story is that you basically did it without 00:07:57.080 --> 00:08:01.010 any real security or any real training at all to know how to do this. 00:08:01.010 --> 00:08:02.280 Is that how it…? 00:08:02.280 --> 00:08:05.310 JEK: That is correct. 00:08:05.310 --> 00:08:09.460 I am an APT, my friend, with no training. 00:08:09.460 --> 00:08:14.070 JACK: What makes you feel like you have what it takes to do this, or what does it take 00:08:14.070 --> 00:08:15.070 to do this? 00:08:15.070 --> 00:08:18.280 JEK: That is a really interesting question. 00:08:18.280 --> 00:08:24.080 In order to do physical penetration testing or social engineering, I think the biggest 00:08:24.080 --> 00:08:29.400 quality a person has to have is confidence that you can do it. 00:08:29.400 --> 00:08:31.290 I can break into that building. 00:08:31.290 --> 00:08:37.169 I can convincingly lie to someone because if you are not confident, that comes off in 00:08:37.169 --> 00:08:39.899 the way you hold yourself and the way your voice sounds. 00:08:39.899 --> 00:08:45.960 It becomes unconvincing to other people if you don’t believe it yourself. 00:08:45.960 --> 00:08:52.019 I think my time as – my time in theatre and my time in journalism learning how to 00:08:52.019 --> 00:08:56.019 talk to people, learning what questions to ask, how to put people at ease, that probably 00:08:56.019 --> 00:09:01.410 is what set me up for a successful career in physical penetration testing and social 00:09:01.410 --> 00:09:02.410 engineering. 00:09:02.410 --> 00:09:03.630 JACK: Actually, I’ve heard this before. 00:09:03.630 --> 00:09:07.689 Jek said she had a background [00:10:00] in theatre as well as journalism and other penetration 00:09:07.689 --> 00:09:12.029 testers have told me to get good at social engineering, take an improv class or an acting 00:09:12.029 --> 00:09:16.630 class because there, they’ll teach you how to become someone else and be convincing. 00:09:16.630 --> 00:09:20.940 You’ll learn how to react to really zany situations and be able to get through it cool 00:09:20.940 --> 00:09:22.199 and calm. 00:09:22.199 --> 00:09:26.230 Yeah, acting does play a big part in sneaking into places. 00:09:26.230 --> 00:09:30.230 Now if you couldn’t tell, Jek is female and she sometimes uses this to her advantage 00:09:30.230 --> 00:09:32.790 while doing these social engineering missions. 00:09:32.790 --> 00:09:35.490 She also uses different costumes. 00:09:35.490 --> 00:09:37.310 JEK: Yeah. 00:09:37.310 --> 00:09:48.209 I have several different disguises that I can switch out my appearance relatively quickly 00:09:48.209 --> 00:09:50.269 on-site if I need to. 00:09:50.269 --> 00:09:59.250 I have wigs, I have glasses, I have different changes of clothes, things that I will be 00:09:59.250 --> 00:10:06.329 able to remove and apply quickly, different types of makeup and maybe a prosthetic mole 00:10:06.329 --> 00:10:14.999 or something along those lines but my favorite toy, my favorite tool that I use on these 00:10:14.999 --> 00:10:22.450 engagements that if I can use it, I do, is my pregnancy prosthetic. 00:10:22.450 --> 00:10:33.410 I have a big belly that is filled with silicone and it has Velcro straps that I will use to 00:10:33.410 --> 00:10:44.439 wrap around my waist and stick it to my stomach and it makes me go from this 125 pound, pretty 00:10:44.439 --> 00:10:50.380 unimpressive person to oh my goodness, I am eight months pregnant and would you please 00:10:50.380 --> 00:10:52.800 get the door for me? 00:10:52.800 --> 00:10:59.499 When I have that option and I do use it, it works 100% of the time. 00:10:59.499 --> 00:11:03.269 JACK: Oh my gosh, that’s so evil. 00:11:03.269 --> 00:11:05.430 Now I see why she’s JekHyde. 00:11:05.430 --> 00:11:10.889 Dr. Jekyll is a good person but Mr. Hyde is sometimes shockingly evil. 00:11:10.889 --> 00:11:14.589 Can you imagine seeing a woman who’s eight months pregnant coming down the hallway holding 00:11:14.589 --> 00:11:19.749 her back and her belly, asking you to kindly hold open the door, and you just close it 00:11:19.749 --> 00:11:22.740 in her face and say badge in like everyone else, lady? 00:11:22.740 --> 00:11:25.199 It’s like what are we supposed to do in these situations? 00:11:25.199 --> 00:11:30.579 JEK: One of the things that I think most pregnant women or men who have had pregnant women in 00:11:30.579 --> 00:11:40.600 their lives have experienced is pregnancy brain and so I can pretend like oh man, I’m 00:11:40.600 --> 00:11:42.550 feeling foggy. 00:11:42.550 --> 00:11:47.689 Pregnancy brain, I’ve forgotten my badge or I’ve forgotten this piece of information. 00:11:47.689 --> 00:11:53.070 Oh my goodness, can you believe I cannot remember my password? 00:11:53.070 --> 00:11:55.089 People are very sympathetic to that. 00:11:55.089 --> 00:11:58.430 Again, it’s exploiting the human factor. 00:11:58.430 --> 00:12:02.610 People are very eager to help people who are in distress. 00:12:02.610 --> 00:12:08.759 Not just pregnant women but older people or somebody who is either disabled or maybe they’re 00:12:08.759 --> 00:12:12.200 temporarily injured and they have a cast or they’re in a wheelchair or something along 00:12:12.200 --> 00:12:13.200 those lines. 00:12:13.200 --> 00:12:19.160 We want to be helpful people and that’s what a lot of bad guys take advantage of. 00:12:19.160 --> 00:12:25.920 You have these scams against older folks all the time who get calls supposedly from their 00:12:25.920 --> 00:12:31.420 grandkids; grandma, I’m in jail, or grandpa, I’m in the hospital, I need money. 00:12:31.420 --> 00:12:40.509 That’s what we try to emulate, is this malicious actor who doesn’t care about people’s 00:12:40.509 --> 00:12:41.509 feelings. 00:12:41.509 --> 00:12:42.750 They’re just in it for themselves. 00:12:42.750 --> 00:12:43.750 JACK: It’s true. 00:12:43.750 --> 00:12:48.279 A lot of scam artists do target the weak and elderly people who have no chance against 00:12:48.279 --> 00:12:50.320 them. It’s evil and sick. 00:12:50.320 --> 00:12:54.290 Okay, so I’m properly freaked out now already by Jek. 00:12:54.290 --> 00:12:59.660 I’m confident that she’s evil enough to do something crazy to get into any building. 00:12:59.660 --> 00:13:05.610 Let’s go along with her on a mission, a physical penetration test, a social engineering 00:13:05.610 --> 00:13:06.610 engagement. 00:13:06.610 --> 00:13:07.800 A Red Team assessment. 00:13:07.800 --> 00:13:16.399 JEK: [MUSIC] We were hired to do a physical for an international manufacturing business. 00:13:16.399 --> 00:13:23.240 The way a lot of companies do their headquarters is they’ll have a headquarters in different 00:13:23.240 --> 00:13:27.680 countries if they’re an international corporation. 00:13:27.680 --> 00:13:32.100 This particular headquarters was in a Spanish-speaking country and it was where we were hired to 00:13:32.100 --> 00:13:33.360 do this physical. 00:13:33.360 --> 00:13:38.690 It was a Spanish-speaking country and I do not speak Spanish. 00:13:38.690 --> 00:13:42.770 When I heard that there was a physical component to this test and they wanted us to plant a 00:13:42.770 --> 00:13:47.029 rogue device, I was like okay, we gotta bring Carl on. 00:13:47.029 --> 00:13:53.319 Carl not only focuses on the rogue devices and dropboxes, we called them at the time, 00:13:53.319 --> 00:13:54.879 but he is also a Spanish speaker. 00:13:54.879 --> 00:13:59.319 CARL: I was at least a little bit, enough to get by which is what was necessary for 00:13:59.319 --> 00:14:01.319 this one. I’m Carl. 00:14:01.319 --> 00:14:06.670 I basically do the hardware and our rogue [00:15:00] device side. 00:14:06.670 --> 00:14:11.059 Jek essentially gets me into the building and then I install the devices and so we’ve 00:14:11.059 --> 00:14:16.420 been on several of these little trips together now and it’s been a good time. 00:14:16.420 --> 00:14:22.500 The story we’re about to recite is one of my actual first physicals and so there’s 00:14:22.500 --> 00:14:25.290 a certain aspect to the emotion of that. 00:14:25.290 --> 00:14:28.674 When you’re used to being a nerd behind a computer for so long and then you’re out 00:14:28.674 --> 00:14:32.119 in front of the adversary, it’s a little different. 00:14:32.119 --> 00:14:37.830 JACK: The objective is to break into this manufacturing plant in a Spanish-speaking 00:14:37.830 --> 00:14:42.279 country, plant a rogue device so that they can try to use it to hack into the company, 00:14:42.279 --> 00:14:43.610 and then get out. 00:14:43.610 --> 00:14:47.990 They have permission from the head of security to conduct this intrusion which is to assess 00:14:47.990 --> 00:14:50.129 the security of the facility. 00:14:50.129 --> 00:14:53.269 The team consists of JekHyde and Carl. 00:14:53.269 --> 00:14:55.180 Jek is a physical penetration tester. 00:14:55.180 --> 00:14:58.509 She’s an expert at sneaking into places that she shouldn’t be in. 00:14:58.509 --> 00:15:00.279 Carl is the hacker. 00:15:00.279 --> 00:15:04.699 He’s an Offensive Security Certified Professional which is a training course and certification 00:15:04.699 --> 00:15:06.550 that teaches you how to hack computers. 00:15:06.550 --> 00:15:10.180 He’s a coder and he knows his way around operating systems really well. 00:15:10.180 --> 00:15:15.360 But most of all, Carl has a real passion for computers and breaking into stuff. 00:15:15.360 --> 00:15:18.610 The two together make a very dangerous pair. 00:15:18.610 --> 00:15:25.759 JEK: When we get a client, the first thing I want is an address of the building that 00:15:25.759 --> 00:15:27.130 they want tested. 00:15:27.130 --> 00:15:31.929 Then the first place I go after that is Google Maps. 00:15:31.929 --> 00:15:39.410 [MUSIC] I am looking at this from bird’s eye view, satellite images, I’m looking 00:15:39.410 --> 00:15:41.699 at it from a street view. 00:15:41.699 --> 00:15:47.779 I want to know everything I can just looking at the building from the outside. 00:15:47.779 --> 00:15:54.779 What I found looking at this building on Google Maps was that there was basically a fence 00:15:54.779 --> 00:15:58.060 or a wall surrounding the thing. 00:15:58.060 --> 00:16:06.749 It was not just any fence; it was actually a palisade-style fence with this curved top 00:16:06.749 --> 00:16:11.939 and this three-pronged very aggressive topper. 00:16:11.939 --> 00:16:16.490 JACK: There were two entrances to get into this building, one for trucks and deliveries 00:16:16.490 --> 00:16:18.470 and the other was for workers. 00:16:18.470 --> 00:16:23.110 From Google Maps she could see that these two entrances had a guard shack right next 00:16:23.110 --> 00:16:27.829 to the entrance which would watch that everyone used their badge to get into the turnstile 00:16:27.829 --> 00:16:29.309 and into the building. 00:16:29.309 --> 00:16:37.110 JEK: This was a pretty aggressive security situation where there was a pretty intimidating 00:16:37.110 --> 00:16:45.519 fence, there was a guard checkpoint, and I found photos of the badge readers online because 00:16:45.519 --> 00:16:48.579 people post everything on social media. 00:16:48.579 --> 00:16:51.379 I knew what kind of badge system they were using. 00:16:51.379 --> 00:16:56.129 JACK: Jek’s first thought was okay, maybe they can find a nearby coffee shop, see somebody 00:16:56.129 --> 00:17:02.059 with a badge to this place, bump into them casually, clone the badge in the process, 00:17:02.059 --> 00:17:03.170 and then walk away. 00:17:03.170 --> 00:17:08.590 But when she started getting the badge-cloning devices together, she had second thoughts. 00:17:08.590 --> 00:17:14.000 JEK: This stuff looks kind of intimidating and you don’t want to be carrying it through 00:17:14.000 --> 00:17:20.900 airport security in countries where things might not be as safe as they are here in the 00:17:20.900 --> 00:17:21.900 US. 00:17:21.900 --> 00:17:28.790 Unfortunately bringing my badge-cloning equipment wasn’t an option for this particular job. 00:17:28.790 --> 00:17:37.150 We were gonna have to figure out okay, maybe there’s a way that we could jump over this 00:17:37.150 --> 00:17:38.150 fence. 00:17:38.150 --> 00:17:43.120 Maybe if we found a tree or a dark spot. 00:17:43.120 --> 00:17:49.030 It didn’t seem particularly well-lit at night and so I was like okay, maybe jumping 00:17:49.030 --> 00:17:51.080 this thing might be an option. 00:17:51.080 --> 00:17:57.610 It wasn’t concertina wire and I’m a relatively – we both are relatively physically fit 00:17:57.610 --> 00:18:01.680 people so we were kind of playing with that idea. 00:18:01.680 --> 00:18:04.760 We were like okay, that’s definitely an option. 00:18:04.760 --> 00:18:09.600 JACK: Jek and Carl did some more passive reconnaissance and decided to fly to the location to try 00:18:09.600 --> 00:18:11.020 to find a way in. 00:18:11.020 --> 00:18:16.180 [MUSIC] They arrive and decide to scope out the place from a distance to see if they could 00:18:16.180 --> 00:18:20.220 find any weak spots in security where they could just sneak into the building. 00:18:20.220 --> 00:18:28.360 JEK: When we got there though, we performed on-site reconnaissance and when we got there, 00:18:28.360 --> 00:18:33.620 we realized that this guard – there were three guard booths around the facility and 00:18:33.620 --> 00:18:35.570 they were all manned 24/7. 00:18:35.570 --> 00:18:43.830 On top of that there was a police watch that did rounds around this facility in the neighborhood 00:18:43.830 --> 00:18:45.460 around it at night. 00:18:45.460 --> 00:18:49.340 We knew right away – we were like okay, there’s no way we’re jumping this fence. 00:18:49.340 --> 00:18:51.520 It’s just not gonna happen. 00:18:51.520 --> 00:18:52.520 JACK: Okay. 00:18:52.520 --> 00:18:58.900 The manufacturing company seems to have their security in order; lots of cameras, and guards, 00:18:58.900 --> 00:19:02.090 and fences, and turnstiles, and only two entry points. 00:19:02.090 --> 00:19:04.640 Gosh, this is going to be hard. 00:19:04.640 --> 00:19:07.690 Walking [00:20:00] in off the street doesn’t seem to be an option here. 00:19:07.690 --> 00:19:12.170 You’re not gonna get in this building without a badge and if you try to go up and lie to 00:19:12.170 --> 00:19:16.610 the guard who may not even speak your language and you get caught, the whole engagement is 00:19:16.610 --> 00:19:17.610 blown. 00:19:17.610 --> 00:19:24.290 JEK: And potentially face angry law enforcement officers and guards whose language we don’t 00:19:24.290 --> 00:19:26.430 speak, or… 00:19:26.430 --> 00:19:31.300 JACK: Or they can use a completely different strategy to get into this place. 00:19:31.300 --> 00:19:36.980 JEK: We started looking at our options and this was the Plan B that we had been building 00:19:36.980 --> 00:19:43.880 up before we got in-country that we were going to lean back on if we decided that a more 00:19:43.880 --> 00:19:48.490 covert infiltration wasn’t going to be an option. 00:19:48.490 --> 00:19:53.650 When I was doing reconnaissance, I looked at a lot of social media accounts. 00:19:53.650 --> 00:19:59.210 I looked at LinkedIn, and Facebook, and Instagram’s a big one, and just plain Google, Googling 00:19:59.210 --> 00:20:02.410 your company in the country it’s in. 00:20:02.410 --> 00:20:06.110 What I’m looking for is a mark. 00:20:06.110 --> 00:20:11.410 JACK: In social engineering lingo, a mark is the victim person, a person who you think 00:20:11.410 --> 00:20:15.530 is just gullible enough to be tricked into doing something for you. 00:20:15.530 --> 00:20:20.320 Jek is going to do a bamboozle on someone and she needs to find that perfect victim. 00:20:20.320 --> 00:20:24.480 She’s going to places like LinkedIn and seeing what people are into. 00:20:24.480 --> 00:20:29.490 She’s looking for people who might be somehow eager for acceptance or they show a lot of 00:20:29.490 --> 00:20:32.690 vanity, or maybe there’s just somebody who’s really greedy. 00:20:32.690 --> 00:20:38.010 If Jek can find someone like this, she can try to trick them into doing work for her. 00:20:38.010 --> 00:20:42.870 After researching this long enough, she found someone, a mark who she chose because of their 00:20:42.870 --> 00:20:44.180 idealism. 00:20:44.180 --> 00:20:55.030 JEK: This person had single-handedly put together a coalition of their co-workers and started 00:20:55.030 --> 00:20:57.810 up a food bank. 00:20:57.810 --> 00:21:06.270 He convinced them to not only volunteer at this food bank but donate their time and resources 00:21:06.270 --> 00:21:12.300 to help building it up, and they’ve become a movement in their community to help feed 00:21:12.300 --> 00:21:15.210 the hungry. 00:21:15.210 --> 00:21:19.880 That became where I focused my attention on these people. 00:21:19.880 --> 00:21:24.610 JACK: I think I just saw Jek turn into Mr. Hyde. 00:21:24.610 --> 00:21:28.800 She’s choosing the people who set up a charity as her mark. 00:21:28.800 --> 00:21:33.550 She’s planning on exploiting their caring and good-hearted natures so she can get into 00:21:33.550 --> 00:21:34.580 this building. 00:21:34.580 --> 00:21:37.020 Ooh, that’s evil. 00:21:37.020 --> 00:21:45.960 JEK: We built up this pretext that I was a woman named Bridget and Carl was this guy 00:21:45.960 --> 00:21:53.490 named Ted and we were both involved in the department of our company back at the headquarters 00:21:53.490 --> 00:21:55.080 in the United States. 00:21:55.080 --> 00:22:00.670 What we did was we put a phish together, a phishing e-mail with a domain that looked 00:22:00.670 --> 00:22:04.350 a lot like our target company’s domain. 00:22:04.350 --> 00:22:10.790 Instead of targetcompany.com it was targetcompany-communityresources.com. 00:22:10.790 --> 00:22:18.210 Then Bridget and Ted, these two fake people, went back and forth talking to each other 00:22:18.210 --> 00:22:23.590 talking about this conference that was going on in that country for our company. 00:22:23.590 --> 00:22:27.380 We were talking back and forth as if we were going to this conference. 00:22:27.380 --> 00:22:31.630 Hey Ted, are you going to that conference in November? 00:22:31.630 --> 00:22:33.810 He was like yeah, the whole family’s coming. 00:22:33.810 --> 00:22:35.010 We’re looking forward to it. 00:22:35.010 --> 00:22:37.670 I’ll see you there. 00:22:37.670 --> 00:22:43.460 I would respond yeah, that’s fantastic, we should swing by and see our offices, our 00:22:43.460 --> 00:22:45.840 headquarters in-country while we’re there. 00:22:45.840 --> 00:22:49.670 He says yeah, that sounds like a fantastic idea. 00:22:49.670 --> 00:22:54.420 Actually, there’s a team there that put together a food bank that I would really love 00:22:54.420 --> 00:22:55.420 to meet. 00:22:55.420 --> 00:23:00.860 JACK: Now Jek is acting like Bridget and Carl is acting like Ted and they are both acting 00:23:00.860 --> 00:23:04.520 like they help with charitable activities from the corporate office in these e-mails. 00:23:04.520 --> 00:23:08.580 But so far these e-mails have only gone back and forth between Jek and Carl. 00:23:08.580 --> 00:23:10.430 This is just to build up the pretext. 00:23:10.430 --> 00:23:15.760 See, a pretext is a cloak, it’s a disguise that hides who you really are. 00:23:15.760 --> 00:23:17.380 It has to be believable. 00:23:17.380 --> 00:23:22.510 By sending e-mails back and forth between them, it builds this up because they are about 00:23:22.510 --> 00:23:24.940 to forward the whole e-mail chain to the mark. 00:23:24.940 --> 00:23:30.580 JEK: I said the day before we were planning this breach, hey Ted, have you reached out 00:23:30.580 --> 00:23:35.390 to that team yet because you speak Spanish and I thought you were gonna go ahead and 00:23:35.390 --> 00:23:40.360 see if we can maybe go meet these awesome people who created this awesome food bank 00:23:40.360 --> 00:23:41.670 program. 00:23:41.670 --> 00:23:44.310 Ted goes oh dang, I hope we aren’t too late. 00:23:44.310 --> 00:23:47.890 We’re not in the country for very much longer. 00:23:47.890 --> 00:23:53.280 He puts together this phish in Spanish and he goes hey, my name’s Ted, I’m a project 00:23:53.280 --> 00:23:58.480 manager based out of the headquarters for our company in the states and I heard about 00:23:58.480 --> 00:24:02.590 the inspiring work you’re doing and we’re really proud. 00:24:02.590 --> 00:24:06.860 CARL: Put in a line to the extent [00:25:00] of ‘If you can’t feed a hundred people 00:24:06.860 --> 00:24:11.750 then just feed just one from Mother Theresa.’ 00:24:11.750 --> 00:24:12.810 That really connects. 00:24:12.810 --> 00:24:17.270 It’s a good sentiment in any case but it really brought the entire phish together. 00:24:17.270 --> 00:24:22.210 It just sits there nicely at the bottom of the e-mail and it’s like putting the bow 00:24:22.210 --> 00:24:25.300 on top of the present. 00:24:25.300 --> 00:24:29.530 That’s essentially the picture that we were trying to paint, is we were very interested 00:24:29.530 --> 00:24:36.830 in this food bank and we were similar-minded individuals that had a same similar goal of 00:24:36.830 --> 00:24:40.340 community outreach, and we were interested in staying at a location there. 00:24:40.340 --> 00:24:43.830 JACK: Okay, honestly, would you fall for this? 00:24:43.830 --> 00:24:48.040 We often shame people who fall for phishing scams and we say things like I would never 00:24:48.040 --> 00:24:49.910 fall for something like that. 00:24:49.910 --> 00:24:54.150 But imagine if you had poured your heart into starting something and now some big-time people 00:24:54.150 --> 00:24:56.110 are contacting you wanting to meet. 00:24:56.110 --> 00:25:00.690 You might just be so excited that you miss the little signs like the e-mail address isn’t 00:25:00.690 --> 00:25:04.060 right or that this e-mail has a sense of urgency to it. 00:25:04.060 --> 00:25:09.140 We’re all a little narcissistic and we want others to appreciate the work we do. 00:25:09.140 --> 00:25:13.370 Something like this feels like you’re finally getting that recognition that you deserve, 00:25:13.370 --> 00:25:18.280 especially when Bridget and Ted have actually researched a lot about what you do and seem 00:25:18.280 --> 00:25:20.630 to know exactly what you’ve been doing. 00:25:20.630 --> 00:25:22.900 This is not some mass e-mail. 00:25:22.900 --> 00:25:26.090 This one is extremely personal and targeted. 00:25:26.090 --> 00:25:30.780 I think anyone would have a really hard time defending against this. 00:25:30.780 --> 00:25:34.690 Now, they send this e-mail chain to the mark. 00:25:34.690 --> 00:25:37.700 The mark works in this building that they want access to. 00:25:37.700 --> 00:25:40.750 This e-mail did not contain any malware or a shady link. 00:25:40.750 --> 00:25:43.800 It just asked if they’re willing to meet. 00:25:43.800 --> 00:25:45.950 After they send the e-mail, they wait. 00:25:45.950 --> 00:25:50.090 Keep in mind, they’re already in the country not too far from the building that they’re 00:25:50.090 --> 00:25:51.140 trying to break into. 00:25:51.140 --> 00:25:54.990 They’re just sitting at the hotel crafting this whole scheme. 00:25:54.990 --> 00:25:58.160 After the break we’ll hear what the reply was. 00:25:58.160 --> 00:26:01.230 After Jek and Carl forward the e-mail, they wait for the reply. 00:26:01.230 --> 00:26:07.670 JEK: They replied within minutes saying oh my goodness, yes, we would love to show you 00:26:07.670 --> 00:26:10.160 around and tell you about our program. 00:26:10.160 --> 00:26:16.420 I want you to meet all of these different people on the team and we can show you where 00:26:16.420 --> 00:26:17.920 we pick up donations. 00:26:17.920 --> 00:26:20.160 They were just extremely enthusiastic. 00:26:20.160 --> 00:26:25.350 JACK: [MUSIC] This was exactly what Jek and Carl were hoping for. 00:26:25.350 --> 00:26:29.460 They couldn’t sneak into the building but now they’ve got someone inside inviting 00:26:29.460 --> 00:26:32.550 them in and willing to show them around. 00:26:32.550 --> 00:26:36.220 These two are evil but really good. 00:26:36.220 --> 00:26:37.530 This did impact Carl. 00:26:37.530 --> 00:26:40.750 He thought this was messed up to exploit someone’s good nature like that. 00:26:40.750 --> 00:26:45.800 CARL: That was the biggest thing that was the hardest to shake out of my mind. 00:26:45.800 --> 00:26:49.280 I guess the mantra that you keep on going back to is you know what? 00:26:49.280 --> 00:26:53.900 If a good guy can do this, a bad guy can do this and if a bad guy can do this the ramifications 00:26:53.900 --> 00:26:55.480 are gonna be far more severe. 00:26:55.480 --> 00:26:58.360 Yeah, I guess it shows you that you’re human. 00:26:58.360 --> 00:27:02.790 It matters that you’re making those connections, you’re using a method like this. 00:27:02.790 --> 00:27:08.270 It kinda sucks but if it makes the client better and it means that a bad guy can’t 00:27:08.270 --> 00:27:14.030 perform a similar action, then I guess it’s why we do this. 00:27:14.030 --> 00:27:19.970 JACK: While it didn’t feel right, they went along with it using a slimy but solid exploit, 00:27:19.970 --> 00:27:21.850 the charitable side of humans. 00:27:21.850 --> 00:27:26.100 Okay, so this mark and these people that they’re exploiting are overjoyed that someone from 00:27:26.100 --> 00:27:30.620 corporate wants to see their food bank that they started at work that they actually offer 00:27:30.620 --> 00:27:35.000 a car to come out and pick Jek and Carl up from the hotel. 00:27:35.000 --> 00:27:39.760 They agree to be picked up the next day but now Jek and Carl have a lot of work to do. 00:27:39.760 --> 00:27:44.230 They need to really become Bridget and Ted as best as they can. 00:27:44.230 --> 00:27:48.160 In fact, they picked two people who actually did work in the company named Bridget and 00:27:48.160 --> 00:27:50.820 Ted in an attempt to blend in even better. 00:27:50.820 --> 00:27:56.880 CARL: In the previous few days we had some extensive study time into these personalities 00:27:56.880 --> 00:28:01.550 that we were developing and going as detailed as okay, we’d quiz each other. 00:28:01.550 --> 00:28:03.280 Where did I go to college? 00:28:03.280 --> 00:28:04.280 What’s my wife’s name? 00:28:04.280 --> 00:28:05.280 What’s my husband’s [00:30:00] name? 00:28:05.280 --> 00:28:07.210 What did I study? 00:28:07.210 --> 00:28:09.380 Favorite activities? 00:28:09.380 --> 00:28:14.510 It was a huge cram session and you’re just kind of hoping that all that fit into your 00:28:14.510 --> 00:28:18.110 head and you’re hoping that the right fact is gonna come out of your mouth at the right 00:28:18.110 --> 00:28:19.110 time. 00:28:19.110 --> 00:28:20.110 JACK: The next day comes. 00:28:20.110 --> 00:28:23.590 The mark or the employee at the company sends a car to come get them. 00:28:23.590 --> 00:28:26.800 But to throw them off, they have the car sent to a different hotel. 00:28:26.800 --> 00:28:28.710 JEK: That is exactly what happened. 00:28:28.710 --> 00:28:33.460 They offered to pick us up and we didn’t want to bring them right to where we were 00:28:33.460 --> 00:28:38.410 just in case things went wrong and they figured out that we were not who we said we were while 00:28:38.410 --> 00:28:39.730 we were still in the country. 00:28:39.730 --> 00:28:42.010 We didn’t want them to connect us back to that. 00:28:42.010 --> 00:28:47.740 We were staying at a medium-rate hotel and we had them pick us up at the nicest hotel 00:28:47.740 --> 00:28:48.740 in town. 00:28:48.740 --> 00:29:00.490 The driver drove us to that site, the headquarters, and we were given visitor badges which were 00:29:00.490 --> 00:29:06.370 RFID visitor badges and just like that, we were led in. 00:29:06.370 --> 00:29:10.930 JACK: [MUSIC] Let me just back up for a second. 00:29:10.930 --> 00:29:14.180 When I was trying to think of a way into this building, I never would have thought that 00:29:14.180 --> 00:29:18.660 somebody was going to come pick them up at the hotel and take them into the building 00:29:18.660 --> 00:29:22.250 and give them valid badges to get in and show them around. 00:29:22.250 --> 00:29:23.840 This is unbelievable. 00:29:23.840 --> 00:29:32.410 JEK: Honestly there was a moment where we didn’t know if we were walking into a trap, 00:29:32.410 --> 00:29:36.910 if maybe they’d figured out what we were doing or that we weren’t who we said we 00:29:36.910 --> 00:29:42.000 were ‘cause we just picked out people on LinkedIn who we kind of looked like who did 00:29:42.000 --> 00:29:46.820 the jobs of the people we were trying to pretend to be. 00:29:46.820 --> 00:29:51.630 There was always the chance that maybe they reached out through internal channels and 00:29:51.630 --> 00:29:55.790 figured out that we were not who we said we were. 00:29:55.790 --> 00:30:02.640 There was a tense moment right as we walked inside, right as we were about to be greeted 00:30:02.640 --> 00:30:10.840 by our mark where we weren’t sure but then they welcomed us with open arms and were extremely 00:30:10.840 --> 00:30:13.880 excited to have us there so it was clear that they trusted us. 00:30:13.880 --> 00:30:17.940 They thought we were who we said we were. 00:30:17.940 --> 00:30:23.550 For the next three or four hours we hung out with these people. 00:30:23.550 --> 00:30:28.840 JACK: [MUSIC] When they came on-site, Jek had a small purse and Carl had a backpack. 00:30:28.840 --> 00:30:33.680 Jek didn’t have anything special in her purse but Carl had a rogue device and a laptop 00:30:33.680 --> 00:30:37.940 and he was constantly looking for a moment to get away and to go plug this into the network 00:30:37.940 --> 00:30:39.600 and try hacking into the place. 00:30:39.600 --> 00:30:44.010 But the team kept giving them a full extensive tour of the whole facility. 00:30:44.010 --> 00:30:48.940 CARL: In this three or four hours when we were in the building, we’re talking with 00:30:48.940 --> 00:30:56.070 them about community outreach and all of this, and in a way that kind of made it easier because 00:30:56.070 --> 00:31:01.630 being genuinely interested in that, it comes from the heart so it makes you come off more 00:31:01.630 --> 00:31:02.630 genuine. 00:31:02.630 --> 00:31:05.150 I don’t think they really suspected too much there. 00:31:05.150 --> 00:31:11.260 Had we had to talk about something too scientific like nuclear propulsion or something, we probably 00:31:11.260 --> 00:31:12.800 would have been outed a lot faster. 00:31:12.800 --> 00:31:20.820 It was nice to have a pleasant chat but going back to what we were saying before, we have 00:31:20.820 --> 00:31:24.370 that sitting in the back of your head like oh man, am I just a terrible person for being 00:31:24.370 --> 00:31:25.440 here right now? 00:31:25.440 --> 00:31:28.460 Because what you’re saying, it’s like a triple-layer cake. 00:31:28.460 --> 00:31:32.750 What you’re saying is true and you actually believe it but that middle layer is well, 00:31:32.750 --> 00:31:35.060 I’m here for doing something completely different. 00:31:35.060 --> 00:31:37.950 I’m actually malicious even though I’m talking about a good subject right now. 00:31:37.950 --> 00:31:42.060 Then you get that third tier like well, you know what, it’s for the best anyways. 00:31:42.060 --> 00:31:48.810 There’s a ton of emotion going through you at the time but it was pretty extensive for 00:31:48.810 --> 00:31:50.020 about three or four hours. 00:31:50.020 --> 00:31:59.330 JEK: Yeah, and we were – I’m actually kind of lucky that we did speak different 00:31:59.330 --> 00:32:00.330 languages. 00:32:00.330 --> 00:32:06.690 Carl and I speak a little bit of Spanish, he more so than I. They spoke a little bit 00:32:06.690 --> 00:32:07.690 of English. 00:32:07.690 --> 00:32:16.030 If there was any awkwardness or a difficulty communicating, if we slipped up a little bit, 00:32:16.030 --> 00:32:20.010 there was always that language barrier that we could fall back on. 00:32:20.010 --> 00:32:22.030 Like oh no, you must have misunderstood me. 00:32:22.030 --> 00:32:26.990 JACK: They’re there hours and hours on site but their hosts were so good that they never 00:32:26.990 --> 00:32:29.790 let Jek or Carl out of sight the whole time. 00:32:29.790 --> 00:32:33.370 JEK: Even when one of us excused ourselves to go to the bathroom, there was somebody 00:32:33.370 --> 00:32:38.510 popping up who was like oh, let me show you where to go. 00:32:38.510 --> 00:32:43.880 I was like are you going to come to the bathroom with me too? 00:32:43.880 --> 00:32:45.830 But they didn’t. 00:32:45.830 --> 00:32:51.280 As we’re walking out, I’m like dang it, there’s just no – I can’t get away. 00:32:51.280 --> 00:32:55.850 JACK: [MUSIC] At this point the tour is over and the host took Jek and Carl to the front 00:32:55.850 --> 00:32:58.320 door to say goodbye and to turn their badges in. 00:32:58.320 --> 00:33:00.500 Drats, they thought. 00:33:00.500 --> 00:33:04.510 They spent all day here and didn’t accomplish what they came to do which was to plant that 00:33:04.510 --> 00:33:06.860 rogue [00:35:00] device somewhere. 00:33:06.860 --> 00:33:08.900 Think quick; what else can you do? 00:33:08.900 --> 00:33:13.190 They’re now at the front at security, about to leave the building, and the guard is asking 00:33:13.190 --> 00:33:14.850 them to turn in their badges. 00:33:14.850 --> 00:33:24.670 JEK: Carl handed over his badge and I legitimately, for about two seconds, had misplaced where 00:33:24.670 --> 00:33:28.560 I’d put my badge in my bag. 00:33:28.560 --> 00:33:29.560 I was like you know what? 00:33:29.560 --> 00:33:31.400 I’m just gonna run with this. 00:33:31.400 --> 00:33:36.700 I’m was like oh no, I seem to have lost that visitor badge you gave me. 00:33:36.700 --> 00:33:37.700 I misplaced it. 00:33:37.700 --> 00:33:38.700 I must have left it somewhere. 00:33:38.700 --> 00:33:42.560 CARL: I’m just standing there looking casual, I’m maybe putting the right amount of distress 00:33:42.560 --> 00:33:45.680 in like oh no, you lost your badge, that’s so rude of us visitors. 00:33:45.680 --> 00:33:46.680 We should know better. 00:33:46.680 --> 00:33:50.120 JEK: They were like oh no, no problem. 00:33:50.120 --> 00:33:52.120 No problem. It’s fine. 00:33:52.120 --> 00:33:56.680 Thank you so much for coming to visit and keep in touch. 00:33:56.680 --> 00:34:05.190 I was let out a larger gate towards the side of the building and we were home free and 00:34:05.190 --> 00:34:08.579 I also had a visitor badge. 00:34:08.579 --> 00:34:13.070 JACK: The hosts arranged a driver and a car to take them back to that fancy hotel that 00:34:13.070 --> 00:34:14.480 they weren’t actually staying at. 00:34:14.480 --> 00:34:19.039 They get let out and they take their guest badge back to their hotel room and plan out 00:34:19.039 --> 00:34:20.259 the next steps. 00:34:20.259 --> 00:34:24.790 They now have a complete layout of the building since they were given an extensive tour of 00:34:24.790 --> 00:34:25.790 it. 00:34:25.790 --> 00:34:28.759 They know their way around pretty well now and they have a badge that will let them in 00:34:28.759 --> 00:34:32.179 through the courtyard gate, and through the turnstile, and into the building. 00:34:32.179 --> 00:34:37.109 They also know the itinerary of the host that gave them the tour and know exactly when they’d 00:34:37.109 --> 00:34:38.589 be tied up the next day. 00:34:38.589 --> 00:34:44.210 They waited until the next day to revisit the site, this time unchaperoned. 00:34:44.210 --> 00:34:50.569 JEK: We were able to return around midmorning when they had mentioned they were going to 00:34:50.569 --> 00:34:52.799 be in meetings all day. 00:34:52.799 --> 00:34:56.359 JACK: They both arrive at the building and walk up to the turnstile. 00:34:56.359 --> 00:35:00.650 They know that when you swipe it, one person is allowed through the turnstile which kind 00:35:00.650 --> 00:35:02.430 of makes it impossible to tailgate someone. 00:35:02.430 --> 00:35:07.020 CARL: Well, I think when we did that at the time, I think there was either nobody in the 00:35:07.020 --> 00:35:11.079 booth or they weren’t looking the right way so I know that I was super nervous about 00:35:11.079 --> 00:35:13.200 this. 00:35:13.200 --> 00:35:15.080 I went through and I used the badge first. 00:35:15.080 --> 00:35:19.410 JACK: Carl gets in and he turns around and hands the badge back to Jek. 00:35:19.410 --> 00:35:21.119 She swipes it and she gets in. 00:35:21.119 --> 00:35:22.790 Now they’re both in no problem. 00:35:22.790 --> 00:35:27.759 JEK: They did not have a one swipe, one entry protocol with their badge readers so we were 00:35:27.759 --> 00:35:31.940 both able to get in with the same card by just passing it back through the turnstile. 00:35:31.940 --> 00:35:36.829 JACK: Now their only objective here is to plant that rogue device in the network and 00:35:36.829 --> 00:35:37.829 leave. 00:35:37.829 --> 00:35:41.940 This rogue device is like a dropbox; it has a way for Carl to access it from outside the 00:35:41.940 --> 00:35:44.089 building and to get into it. 00:35:44.089 --> 00:35:48.329 If that device is on a good network port, this would allow him to try hacking into the 00:35:48.329 --> 00:35:53.170 network all night long safely from his hotel or from anywhere in the world. 00:35:53.170 --> 00:35:55.380 He just needs to find a good spot to stick it. 00:35:55.380 --> 00:35:59.589 CARL: From our tour the day before we had noticed that there were some conference rooms. 00:35:59.589 --> 00:36:04.640 They were fully occupied and we couldn’t get away from our hosts anyways but this next 00:36:04.640 --> 00:36:09.599 day, because fortunately there were extensive meetings, a lot of these conference rooms 00:36:09.599 --> 00:36:10.599 were empty. 00:36:10.599 --> 00:36:14.640 JACK: Jek and Carl pop into one of the conference rooms and close the door. 00:36:14.640 --> 00:36:18.900 Carl quickly starts pulling gear out of his backpack; the rogue device, the laptops, some 00:36:18.900 --> 00:36:19.900 cables. 00:36:19.900 --> 00:36:27.730 JEK: We were trying to look as normal as possible so I have Carl sitting on one side of the 00:36:27.730 --> 00:36:31.650 table and I was playing lookout but as casually as possible. 00:36:31.650 --> 00:36:34.990 JACK: The rogue device that Carl pulls out is an ODROID-C2. 00:36:34.990 --> 00:36:39.150 It’s a mini-computer about the size of a pack of cards, runs Linux. 00:36:39.150 --> 00:36:41.230 It’s kind of like a Raspberry Pi. 00:36:41.230 --> 00:36:46.270 He’s customized it to give it a mobile internet connection so as soon as it’s powered up, 00:36:46.270 --> 00:36:49.000 Carl can connect to it from anywhere in the world. 00:36:49.000 --> 00:36:53.210 Then he takes the internet port and plugs it into a network port in this conference 00:36:53.210 --> 00:36:54.210 room. 00:36:54.210 --> 00:36:56.270 But he’s not seeing much traffic go by on this port. 00:36:56.270 --> 00:37:01.010 CARL: If I don’t see substantial traffic that makes it worthwhile and not enough host, 00:37:01.010 --> 00:37:03.710 it’s not gonna be worthwhile. 00:37:03.710 --> 00:37:10.710 For example, if there are a lot of Sysco phones and there aren’t any Windows workstations 00:37:10.710 --> 00:37:16.380 or Linux servers, or just a sparse amount of traffic in general, if I don’t have a 00:37:16.380 --> 00:37:22.279 point to – or any data to leverage my device on in the network, there’s no point in planting 00:37:22.279 --> 00:37:23.279 it there. 00:37:23.279 --> 00:37:27.789 JACK: Often what corporate offices do is have a separate network for phones and for workstations. 00:37:27.789 --> 00:37:31.849 A phone network is often locked down to just allow phone traffic through. 00:37:31.849 --> 00:37:36.100 Carl is using a program called tcpdump to watch what traffic is being broadcast on this 00:37:36.100 --> 00:37:37.100 network. 00:37:37.100 --> 00:37:38.769 He’s just seeing phones. 00:37:38.769 --> 00:37:41.329 Drats, this port’s not going to work. 00:37:41.329 --> 00:37:45.849 He might be able to find a better port somewhere else that has a lot of workstations or servers 00:37:45.849 --> 00:37:46.849 plugged into it. 00:37:46.849 --> 00:37:51.849 CARL: I know that I have to essentially pack everything up and then tell Jek well, hey, 00:37:51.849 --> 00:37:55.029 I’m sorry, we’re gonna have to go onto the next room. 00:37:55.029 --> 00:37:59.091 Then we just try the next one. 00:37:59.091 --> 00:38:01.640 JACK: [MUSIC] They pack up and casually leave the conference room. 00:38:01.640 --> 00:38:03.930 They find another room and go in that. 00:38:03.930 --> 00:38:08.310 Again, Carl [00:40:00] unloads his gear and Jek acts casually and keeps a lookout. 00:38:08.310 --> 00:38:11.359 Carl connects into his dropbox and begins his attack. 00:38:11.359 --> 00:38:16.880 CARL: When we first log into the dropbox, we just want to see what’s going across 00:38:16.880 --> 00:38:18.390 the wire. 00:38:18.390 --> 00:38:20.700 A lot of it is really passive listening. 00:38:20.700 --> 00:38:24.269 I’m not actually giving myself an IP initially. 00:38:24.269 --> 00:38:30.220 I’m just passively listening layer 2, layer 3, and watching stuff go by. 00:38:30.220 --> 00:38:35.490 We wait as long as campaign time-wise, as long as we can afford to wait. 00:38:35.490 --> 00:38:38.970 It’s kind of a gamble based on within that one or two minutes. 00:38:38.970 --> 00:38:42.220 I’m looking at the traffic; if I decide yeah, we’ll go with this one or no, let’s 00:38:42.220 --> 00:38:44.430 try the next one. 00:38:44.430 --> 00:38:47.930 Then I’m looking at MAC addresses flying by, I’m looking at what kind of workstations, 00:38:47.930 --> 00:38:54.150 if we’re looking at Linux boxes, if we’re looking at Windows 10, Windows 7. 00:38:54.150 --> 00:39:01.829 Then when I feel like dropping down to the wire, I’ll statically assign an IP and just 00:39:01.829 --> 00:39:05.500 drop myself down and then change the MAC address to make myself look like the workstations 00:39:05.500 --> 00:39:06.500 I’ve been observing. 00:39:06.500 --> 00:39:12.971 Then I’ll also change the TTL so if I’m pinged, I’ll also look like a Windows workstation 00:39:12.971 --> 00:39:14.750 instead of having it come back as Linux. 00:39:14.750 --> 00:39:18.090 JACK: But again, nothing good is on this port either. 00:39:18.090 --> 00:39:22.369 He’s not seeing any workstations or servers or anything interesting as he’s listening 00:39:22.369 --> 00:39:24.420 to what’s on the wire. 00:39:24.420 --> 00:39:25.480 This isn’t gonna work. 00:39:25.480 --> 00:39:27.289 Maybe he can find something better. 00:39:27.289 --> 00:39:31.940 The team once again picks up all the gear and goes to find another room to try again. 00:39:31.940 --> 00:39:35.730 They’re starting to get a little worried that the conference rooms might be all locked 00:39:35.730 --> 00:39:36.730 down. 00:39:36.730 --> 00:39:39.420 CARL: Well, there’s a little bit of fear that starts to eat at your mind a little bit. 00:39:39.420 --> 00:39:44.760 Like oh no, but each one in this floor might be a dead port. 00:39:44.760 --> 00:39:47.280 But the third one, something was different. 00:39:47.280 --> 00:39:51.369 I did notice in the first two, the port was a little bit dustier but I thought you know 00:39:51.369 --> 00:39:52.369 what? 00:39:52.369 --> 00:39:53.369 We’re here, I’m gonna go for it. 00:39:53.369 --> 00:39:54.369 I’m gonna try it. 00:39:54.369 --> 00:39:56.390 The third one, the port looked a little bit cleaner which is probably a better signal 00:39:56.390 --> 00:39:58.840 that people have been plugging in and out of it. 00:39:58.840 --> 00:40:03.049 [MUSIC] It worked and I was pretty relieved. 00:40:03.049 --> 00:40:07.720 JACK: After the third conference room, when Carl plugged in, he immediately saw workstation 00:40:07.720 --> 00:40:09.720 traffic. Bingo. 00:40:09.720 --> 00:40:10.720 This is the port he was looking for. 00:40:10.720 --> 00:40:14.660 From here, he can probably gain access to one of those workstations and then keep pivoting 00:40:14.660 --> 00:40:16.010 up to main servers. 00:40:16.010 --> 00:40:20.529 He’d be able to do all this from his hotel or even back home in the office. 00:40:20.529 --> 00:40:25.029 Their plan is just leave this device and do just that because it’s too risky to stay 00:40:25.029 --> 00:40:28.619 in this conference room for hours and hours and hours trying to hack into the place. 00:40:28.619 --> 00:40:32.079 It’s best to leave the rogue device, get out, and then hack into it later. 00:40:32.079 --> 00:40:37.279 CARL: Then it’s a matter of obfuscating the device as much as possible to make it 00:40:37.279 --> 00:40:41.039 blend in and look like it belongs there. 00:40:41.039 --> 00:40:45.230 Luckily there were a fair amount of cables underneath the table. 00:40:45.230 --> 00:40:50.069 In some businesses you like to look all clean and tidy, but in our scenario, we love it 00:40:50.069 --> 00:40:54.420 when people just leave trash everywhere and have cables going all over the place and just 00:40:54.420 --> 00:40:56.020 terrible cable management. 00:40:56.020 --> 00:41:00.529 I can tuck a device in there and it’ll look pretty benign. 00:41:00.529 --> 00:41:07.789 If we’re lucky we’ll sometimes find onsite some stickers from rummaging around from the 00:41:07.789 --> 00:41:11.549 IT department that we can slap on there and make it look official or we’ll print some 00:41:11.549 --> 00:41:16.670 out ahead of time that’ll say Company Name, IT Department, Please Don’t Remove. 00:41:16.670 --> 00:41:18.390 It makes it look a little bit more official. 00:41:18.390 --> 00:41:23.460 JACK: With this rogue device in place hidden neatly under the table amidst the rat’s 00:41:23.460 --> 00:41:26.940 nest of cables, the team packs up and begins heading out. 00:41:26.940 --> 00:41:29.200 This is all they came to do so it’s time to leave. 00:41:29.200 --> 00:41:33.380 CARL: Yep, yeah, it’s time to pack up and walk out casually and hope that you don’t 00:41:33.380 --> 00:41:39.569 get caught on the one-yard line before you get into the end-zone, really. 00:41:39.569 --> 00:41:45.260 That would be the worst thing possible to have somebody stop you while your device is 00:41:45.260 --> 00:41:50.930 planted and just trace everything back and have your campaign fail at that moment. 00:41:50.930 --> 00:41:53.489 We casually walk out and that was that. 00:41:53.489 --> 00:41:56.849 JACK: They even give their visitor badge to the guard on the way out since it felt like 00:41:56.849 --> 00:41:58.210 the end of their mission. 00:41:58.210 --> 00:42:01.809 At this point they had an Uber come pick them up and drive them back to the hotel with a 00:42:01.809 --> 00:42:02.989 feeling of accomplishment. 00:42:02.989 --> 00:42:09.460 CARL: Well, it’s a feeling of success as far as the time that I was given to build 00:42:09.460 --> 00:42:13.950 this device, the device works, the time I was given to research this location, that’s 00:42:13.950 --> 00:42:15.019 paid off. 00:42:15.019 --> 00:42:19.829 The trust put into me in the client to perform this and their interest and perform a service, 00:42:19.829 --> 00:42:21.249 that’s worked. 00:42:21.249 --> 00:42:28.080 I guess it’s a relief of you know what, whatever we can do remotely to this device, 00:42:28.080 --> 00:42:36.410 that will be what it will be but as far as the physical goes, we’ve earned what was 00:42:36.410 --> 00:42:38.230 spent to bring us here. 00:42:38.230 --> 00:42:43.960 We’ve upheld our end of the bargain so that feels good, and especially it being my first 00:42:43.960 --> 00:42:51.140 physical and not being very used to twisting people and creating the mirage and all of 00:42:51.140 --> 00:42:52.140 that. 00:42:52.140 --> 00:42:56.000 It felt good to not be arrested in a foreign country on my first attempt. 00:42:56.000 --> 00:43:01.390 JEK: We were in the car afterwards and I’m feeling the rush. 00:43:01.390 --> 00:43:03.589 I’m like yes, we did it. 00:43:03.589 --> 00:43:05.059 I feel good about this. 00:43:05.059 --> 00:43:10.989 [00:45:00] We got our teammates back home the access that they need and I look over 00:43:10.989 --> 00:43:11.989 at Carl and he’s just got his head in his hands. 00:43:11.989 --> 00:43:12.989 I was like what’s wrong? 00:43:12.989 --> 00:43:18.529 He was like, those poor people. 00:43:18.529 --> 00:43:22.559 CARL: That really kind of weighed heavily on me. 00:43:22.559 --> 00:43:28.560 Man, our hosts were so gracious and they were so passionate about their project that it 00:43:28.560 --> 00:43:35.809 felt bad that underneath it all, we were essentially lying to them about our purpose there and 00:43:35.809 --> 00:43:40.960 that’s something that even with X amount of rationale, it’s an inescapable feeling. 00:43:40.960 --> 00:43:47.309 JEK: It was kind of a wake-up call moment for me and I knew what we were doing was not 00:43:47.309 --> 00:43:48.309 great. 00:43:48.309 --> 00:43:56.759 But I’m glad that he recalled me to that because I’ve been doing this for so long, 00:43:56.759 --> 00:43:59.539 I sometimes can lose sight of that. 00:43:59.539 --> 00:44:01.599 He keeps me grounded. 00:44:01.599 --> 00:44:09.619 That was exactly what I told him, was look, we are pretend bad guys and there are real 00:44:09.619 --> 00:44:13.420 bad guys out there. 00:44:13.420 --> 00:44:19.710 We can feel bad about this, that’s fine, but we’re a vaccination and shots suck. 00:44:19.710 --> 00:44:25.650 JACK: Using the rogue device, the team did find more vulnerabilities in this network 00:44:25.650 --> 00:44:29.380 which got them domain administrator access into the network. 00:44:29.380 --> 00:44:35.890 CARL: Even though it’s current year, sometimes people still have unencrypted credentials 00:44:35.890 --> 00:44:38.509 flying around their network. 00:44:38.509 --> 00:44:44.910 With sufficient amount of monitoring on the wire, credentials were recovered that allowed 00:44:44.910 --> 00:44:53.259 us to pivot into multiple systems and then we eventually escalated up to DA. 00:44:53.259 --> 00:45:00.329 We were able to extract all of the valuable information that you’re looking for in a 00:45:00.329 --> 00:45:06.650 situation like this as far as credit cards and PCI and all of that. 00:45:06.650 --> 00:45:11.789 JACK: All within a few days of recon, and a few days of actual exploitation, this team 00:45:11.789 --> 00:45:17.089 successfully got in, put the rogue device in, and gained full access to the network. 00:45:17.089 --> 00:45:18.130 Incredible. 00:45:18.130 --> 00:45:21.650 The team wraps up their findings and puts it all into a report and gets on a conference 00:45:21.650 --> 00:45:25.869 call to explain everything to the client who’s the head of security for this organization. 00:45:25.869 --> 00:45:28.950 JEK: There’s always a little bit of awkwardness. 00:45:28.950 --> 00:45:31.809 There’s always a little bit of shock. 00:45:31.809 --> 00:45:39.160 I think a lot of people assume that it’s gonna end up better for them and speak better 00:45:39.160 --> 00:45:42.650 of their security than it ends up being. 00:45:42.650 --> 00:45:48.481 In this particular case, it was very personal because it involved very little of their physical 00:45:48.481 --> 00:45:49.481 security. 00:45:49.481 --> 00:45:53.630 Their physical security held up quite well under the circumstances. 00:45:53.630 --> 00:46:02.960 If we were malicious actors in-country, there’s a potential that we could have made our way 00:46:02.960 --> 00:46:06.529 covertly past their security. 00:46:06.529 --> 00:46:14.990 But what we did was we exploited the human factor and that hurts a little bit more. 00:46:14.990 --> 00:46:20.749 We not only have to explain the situation to the folks who received our report, but 00:46:20.749 --> 00:46:24.630 then they had to go down and debrief this team. 00:46:24.630 --> 00:46:29.009 JACK: Because the team felt bad that they exploited these people, they tried to make 00:46:29.009 --> 00:46:33.119 something positive from all this and they really pushed hard to have the corporate headquarters 00:46:33.119 --> 00:46:37.259 connect with this food bank project and get acknowledgment and help from corporate. 00:46:37.259 --> 00:46:39.349 That did, in fact, happen. 00:46:39.349 --> 00:46:42.950 The headquarters was happy to see the food bank project and they helped give it more 00:46:42.950 --> 00:46:46.069 resources and recognition to make it even more of a success. 00:46:46.069 --> 00:46:50.240 JEK: In this particular case, the big thing that they could improve was their security 00:46:50.240 --> 00:46:57.200 awareness within the company, doing things like double-checking domain names. 00:46:57.200 --> 00:47:05.550 When people put pressure on you to do something quickly to give them access to a piece of 00:47:05.550 --> 00:47:10.819 information or a file, or a physical location quickly, that should raise some red flags 00:47:10.819 --> 00:47:11.819 for you. 00:47:11.819 --> 00:47:15.980 That’s exactly what we did in this case, was we showed up in-country and said hey, 00:47:15.980 --> 00:47:19.369 we’re only gonna be here for a couple more days and we’re off to this conference so 00:47:19.369 --> 00:47:25.970 if you want to meet us and you want this food bank project to be noticed and maybe get a 00:47:25.970 --> 00:47:29.979 little bit more funding for it, you need to meet with us soon. 00:47:29.979 --> 00:47:33.329 You need to give us an answer soon. 00:47:33.329 --> 00:47:35.509 We took advantage of that. 00:47:35.509 --> 00:47:36.720 JACK: You know what? 00:47:36.720 --> 00:47:41.380 The people who started this food bank project, the marks that got social engineered by Jek 00:47:41.380 --> 00:47:45.910 and Carl, this is a story they’re always going to remember. 00:47:45.910 --> 00:47:47.749 This is a story they’ll share with everyone. 00:47:47.749 --> 00:47:53.910 A story like that will certainly travel around the company about the two evil penetration 00:47:53.910 --> 00:47:59.470 testers who exploited such good people and whoever hears the story will think twice about 00:47:59.470 --> 00:48:01.999 what a bad guy is actually capable of. 00:48:01.999 --> 00:48:05.820 These people still work on their food bank project but [00:50:00] now they validate their 00:48:05.820 --> 00:48:09.029 guests a little closer before showing them around. 00:48:09.029 --> 00:48:13.619 Hopefully this is a good lesson they learned which at the end, makes security a little 00:48:13.619 --> 00:48:15.029 better. 00:48:15.029 --> 00:48:23.400 JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. 00:48:23.400 --> 00:48:27.039 A big thanks to JekHyde and Carl for sharing this amazing story with us. 00:48:27.039 --> 00:48:28.460 You can follow Jek on Twitter. 00:48:28.460 --> 00:48:30.440 Her handle there is @hydens33k. 00:48:30.440 --> 00:48:37.800 Oh, and about this podcast; I’m about to rebrand this whole thing, new podcast artwork, 00:48:37.800 --> 00:48:39.550 new website, new stickers, everything. 00:48:39.550 --> 00:48:42.599 I’m super excited about that so look for it soon, TM. 00:48:42.599 --> 00:48:45.119 Want to discuss this podcast with other listeners? 00:48:45.119 --> 00:48:46.119 You can. 00:48:46.119 --> 00:48:52.339 You can join us over at Reddit at reddit.com/r/darknetdiaries or on Discord at discord.io/darknetdiaries. 00:48:52.339 --> 00:48:55.230 See you there. 00:48:55.230 --> 00:48:59.710 This episode is created by me, the one-eyed, one-horned, flying purple packet-eater, Jack 00:48:59.710 --> 00:49:00.820 Rhysider. 00:49:00.820 --> 00:49:03.880 Theme music was created by the shrimp-sampler Breakmaster Cylinder. 00:49:03.880 --> 00:49:06.069 See you in two weeks.