Deception via Perception

okay so final talk for the day um afterwards we're just going to do a closing remark first and surprises and uh we'll be off the party as well but before that we imported some hacker goodness from the US but I don't want to introduce him myself because I might screw it up so I rather leave it to man himself and uh yeah give him a a warm K on welcome while he's

here's birthday in South Africa just to talk to a lot of you so just take that it's not today but just take that into should be fine thank you thank you for being hard enough to actually stay to the very end is like uh and actually make my talk I always like it when that happens and surprised so uh thanks uh we're going to start off my legal disclaimer uh I'm not a lawyer uh but I played one on the internet successfully before uh and so uh this is my legal disclaimer because during my talk I'm going to talk about things that are going to probably you know go that's horrible why would you do

that it's like it's like and it's like you're a bad man like no remember the kittens I'm adorable okay it's like I will not try to steal from you kill you or Ru you financially unless you pay me first there's always a contract okay so when I go when you hear those like you hear some of these stories and you see some of the video yeah I got video of it stuff it's like just remember the kittens uh title of my talk is perception from a blue tractor to a blue and black dress yes there is sort of a message behind it uh but it's basically one of perception uh it's like because we all saw you know I whenever I used to

see the little blue tractors farm tractors I thought those are adorable I'm adorable I love those things those are no those we things are very scary they're anti-tank weapons who knew you know it's like so it's it's all about trying to go and show it's like oh this is what we think something is but you never know when someone can do something else with it or when we see something and then we see it every day and we're like oh that's what this is for it's totally harmless maybe not so much now also a big thing that I want to make sure that I address is I got a lot of swack for that uh I have some really

good Russian friends and they are Ser sincerely my friends uh and I've been to Moscow I've been St Petersburg I spoke at a conference in St Petersburg Russia uh in 2019 it's like there are very good people there and they're very good uh wonderful hackers that are committed to doing good one of my friends is missing because he was protesting in Moscow against the uh illegal pu Invasion and it's like and but some other hackers were coming to me like well why are you you know why are you anti-russian and I'm like no I'm not anti-russian Russian's a wonderful country I'm anti Putin's illegal Invasion which is destroying his country and the Ukrainian country that's what I'm against there's

a difference and I'm not trying to be political I'm trying to say there's some things that we have to stand up for it's like when uh George W bush illegally invaded Iraq it's like for you know the whole lie about the weapons of mass destruction because you know that was a lie and wrongful Invasion so I should know it's like you know that P stuff is wrong it's like there was a simple though from that it's like someone threw a shoot and if you are from if you know about Arabic culture they like in the Middle East a shoe just seeing the soul of one's foot is an insult to throw the shoe that's more than milkshakes or

tomatoes okay that's bad it's like so it was it's a big insult and that one shoe became the symbol of the arrest that the Iraqis had from you know people invading you know their country because it's like attacking Iraq after 911 is like would be like you know the US attack it because attacked Afghanistan like oh let's take a rock two that's like if during World War II it's if we decided to go oh and during for Harbor like well let's attack Japan and Mexico you know it's like not really it shouldn't be done so that shoe was the symbl in the 1970s when women were having to fight for their rights you know to be counted as like you know a

human being it's like they threw things in the dumpster to show that the Equal Rights they never burned it they never burned balls they were throwing them in the dumpster along with broom handles and other things that were supposed to be considered feminine but of course you know guys me the I the reporters all concentrated on the bra uh because boovies it's like and it's like and and and that became the symbol of that movement it's like and luckily you know since the 1970s that's all been fixed in America and women are just told oh wait no sorry it's like it's still dump sh fire there uh for women uh it's like but yes but that became the symbol and in

Iran right now currently they are just doing the simple thing of cutting their hair and it's like in frustration and rebellion and people realize like why are they cut in your hair it's from all the way from a poem from the I I'm not going to mispronounce it but there's an old home it's like it's a tradition from hundreds and hundreds of years where when they go to battle or when they go to protest and when they go to show that they're ging for war they will cut their hair and so they are cutting their hair as their protest against the regime the unlawful regime that's going on right now in Iran that it's like putting them

in just as much Jeopardy as Iran puts the rest of the world uh in Jeopardy so it's those kind of outpouring in those protests doesn't matter what country I'm from it's like I've got to stand up and say something because if you have a voice use it because a lot of other people don't have one and so that's what I try to do uh so that's what it's not I don't hate Russia it's like I hate dictators uh nothing about me I like to ride motorcycles uh I've been on uh television correcting reporters uh it looks like I like screaming at people but that's actually me getting a thought uh like to do weird things and weird

places that's me actually sky diving uh outside of Mosel Bay uh here in South Africa and there's me robbing a bank uh and then I love playing no man's Sky no man's sky is amazing game it's like Minecraft for old nerds we should try it out uh so uh now let's get into the good stuff oh if you want to know more about me jason.com if you want to know where I've been hack adventures. world or if you want to read my live Journal diary uh Twitter at Jason Street while it still exists uh or M it on so uh when it wasn't so let's get into it uh this talk is a little bit different because I

decided to end it on Miss it's like I want to bust some this uh this is the last talk I'm giving this year thank God it's like not long year it's like so it's like there's a lot of new content I want to go over it I want to start off with the blue team myth okay uh humans are the weaking that is so much bull crap so much of a ly excuse that blue tingers shoes when a user clicks on a link on a website or a user clicks on an email they they're like well we're blinging the user like click onink stupid user stupid information security didn't properly teach their users it's like

they're not the weakness Ling they're the we least invested in if I and was running a company and I invested in my technology as much as I uh uh to protect my people as much as I invest in people to protect my technology our company would have a fireball like a px you know 800 or something like that with a default ACL list with a allow all right it's like no logging because you know that's just going to C up we a place to actually put the backup for that so screw that we don't need that it's like and they would have a snort Bas install with all the signatures running but that's okay no

one's actually paying attention to it because we seen a freaking snort install with the basic script running right it's like would that be helpful for your company no so you invest money you work on that you make sure that you're applying the right technology protect your company from Network and computer-based attacks but you need to understand that it's evolving we need to start investing in our people to learn how to protect our technology and then using the technology as a safety net we've been using technology like it's a wall it's like you know we're like build a wall make the ATS pay for it trust me I know that doesn't work okay it's like spoiler alert it's like we got to stop

trying to make it as the one all defense because when that technology fails and it will it's like you're screwed cuz the human's not prepared to to to take over and and figure out what's going on it's like so you need to start showing more and creating more of a way to get people to protect the technology and when they screw up and they will it's like the technology can be the safety net to keep you from being you know totally breached and trust me it's like every I you know a lot of R going like yeah those blue teamers let's talk about how stupid the red teamers for sometimes okay um because the the red team n that I hate

the most is that they are there to Breaking systems exploit what they can and show the client how they failed in defending against their leak attacks and hacks it's like mother I am so tired of the toxic masculinity in the freaking red teaming industry where it's like they're their whole their whole model of of of quitting things is from a convicted rapist it's like who when he was hit with the in the face it's like theci to bite a guy's ear off as his only recourse okay if that's your life coach you need a new life okay and also he's a plagiarist he actually plagiarized that thing from uh oppression General who actually used it

as a warning for people like the red team CU it was actually no battle Clan ever survived contact with the Enemy that should be a warning for red teamers that when you go into that place whatever you thought were you were planning you're not prepared for what you're going to find it's like that's what it was about but I mean you know Mike tyon is like you know I don't how did you expect to get it right it's like so we need to stop with this attitude that red teamers are there to break things that red teamers are there because they're because they're like the elite rockstars in this industry screw that noise the only reason why the red

team exists is to make the blue team better and if you're not part of the red team and trying to be an advocate for your clients and you're more concerned about being the adversary you suck at your job it's like so that's what that's about it's like so making a lot of feeds here yeah but straight up that's what we need to understand it's like I'm not trying to be an adversary to my clients I'm trying to be an advocate it doesn't matter how well and leap my My ATT tax are they're not paying for that no clion history has paid you for that they're getting that for free every day they're paying you for the report

mother that's what your job is it doesn't matter how good your leap hats are or how well you bust it if you can't properly train that and talk to that and communicate that to the team and to your clients and to their Executives and show them the importance of getting these things fixed and how they can get those things fixed you wasted everybody's time it's like it doesn't matter how cool it was it's ineffectual it's unimportant because there was no actionable items afterwards that's what we need to start understanding you were there to make the blue team better you were there to help verify and and make sure that their defenses are working the way they wanted them and if you're not

doing that retire it's like um so I'm not sorry I'm a little feisty it's like it's like so I just GNA deal with it this is I'm going out in the blaze of glory this year guys it's like just enjoy the ride okay it's like cuz I ain't done it's like and I'm not limited to the red and blue team okay because it's like you know I like colors it's like uh I like to call myself a simulated adversary or uh Sean from a podcast that's like in UK he said I'm a security awareness operative and I say oh that sounds cool cuz I Secret Agent Man security Bo is operative it's like which it sounds a lot better than

you know it's like hey I'm a guy who lik a lot people so but that sound cool too um but for me it's about education not exploitation I don't use any exploits in any of my attacks in any of my engagements it's like they're always like popping notepad or just you know doing something that helps educate I want them to catch me in every engagement I promise my client it is part of our contract it is part of their understanding that by the third day of the engagement I will be caught it's like either by them actually doing a great job which is the best It's like because if you're not rooting for your clients you need to you know re re

reorganize your life priorities you want them to do good you're there not to break it but to validate it so if you validate it that show that they they were good and that they caught something that's still a win so I want to make sure that I get caught because I wanted to be a positive experience for the users because I'm not breaking into servers I'm attacking people I have never seen an email server get sad because they got popped within SOA 67 does it still happen yes today yes it still happens it's like you know now they're going to like the really hot new section thing from 20 2011 you know he turn on blue or something but still

it's still happening okay but those servers don't get upset for that but people do instead of just giving them all the things to look down on and what they did wrong I always make sure I give them something to look up to something to show that they can try to emulate so they can go up to that point and be like that person and yes sometimes I have to try really hard to get caught if like it's fat it's like I mean I've spun around in a chair before it's like I I shut down a machine it's like during business hours and walked it out of the toer before they figured out that I wasn't supposed to be

there for the last half hour it's like but they did and they were the wi and I wrote their names down never write down someone who failed it's like I always write down the people who catch me because it's not and I tell them that after about two minutes after I successfully escaped I go back and I talk to every single person that I was that's my job that's where the work starts cuz that's where the social engineering starts like yeah I'm sorry I was a horrible guy and I I just robbed you what you did you shouldn't have done I was being a bad person and oh yeah you're not giving those new computers I

lied I'm I'm a horrible person remember the kidneys it's like but it's like yeah it's I'm sorry but this is why this is helping you cuz I'm not here to test you I'm here to teach you so therefore you didn't lose you learned it's like you had a lesson and that's what it was about and you show them how you're were just trying to teach them and you weren't trying to to and make it a positive experience and that way you have a very well educated Workforce that now understands what an attack looks like when it occurs and they'll be more ready for it it's like that's not that because and I don't use Advanced attacks

it's like I'm not using like you know old days that's like no way you know my skill level it's like CU I always hear I'm so tired of hearing about APS oh my gosh it's like yeah we got public ab ab that got us it's like you know what ABT is what the CEOs tell the shareholders in the public when they get popped by an email right it's like that's what ATS are at stands for not Advanced persistant thre know it's chill scary it's like you know it's like no adequate fishing technique there that's a now we got it now we know what it is it's like that's what an AP is okay I'm not even doing that stuff I'm just

bad basic adorable destruction that's okay that's it I'm not checking to see if you're compliant it's like you know I call PCI schro schlinger uh compliance because everybody's PCI Compliant until they're not have you notice that you notic all these companies that get popped like they're PCI we're PCI compant it's like you know it's like so yeah that's really weird but it's like no I don't care about your your your your uh PCI or your Hippa hippo hobo whatever your Grand Beach Island your St righty or what other old life dud you want to name a policy after I don't care I'm just there to F you up I'm there to be the worst possible thing to happen to

you at the worst possible time in the worst possible way I'm cre parties you know it's like that's what I'm there for it's like I just want to be I mean I live by Firefly and sity you know big box not fire for cancelling but you know I just a to be a v it's like you know it's like I just want to misbehave and that's what I do it's like I if I go in there and I see so many people go into their clients and they tell them it's like oh I uh we went through the zero days and kind just like to get this remote shell get privilege expolation which we're able to then pivot into this

other network and say them and then we got all the secret and then and then one of our uh rip teers and you know they went through the Skylock stuff you know they circumvent the security by overriding the the the match machine and stuff you know and and you know their clients are saying we're secure and you're like what the I just told you yeah but you were like mchas and Y were like epgs we don't have to worry about that we're not after we don't have to wor about nation states we're just like a donut factory in the mo it's like why do we have to worry about something like that and so therefore they don't understand the

nature of what they really need to protect me I usually go in and I just say I spent less than two hours on Google I came up with this fishing ATT have and had your CEO click the link he's the one who hired me to do the fishing engagement story it's like it's like uh there was one it's like where I was like I walked in to this Bank I've never been there before and I compromised all the machines and it was bad and it's like and and trust me you're going to see a video of that later it's like that's something you have to take seriously that is something you have to fix now people may think that your zero days

and stuff are not something that they have to worry about trust me the the data shows that out right it's like but when you show someone how easy it is and how basic it can be done that's something they have to take a little bit more seriously so I'm going to show you a little bit of the the network side is like if I'm want to do Focus mostly on just doing physical compromise but you know it's like a Hackle conference I got do like some you know computer stuff it's like technical stuff so I'm going to show guys some my Recon okay I use I use one of the most elite hacking tools ever developed in this world and stuff

you know and I use it regularly it's like it's I mean only going to write down the Ural it's like it's a great place to go start off when you're doing a Recon for an engagement it's gle.com amazing hacking tool okay it's where I only start uh right here we're going to hack eany uh if you want fre y raise your hand no don't raise your hand I don't care um it's like when I was just already starting out in 2001 or so it's like uh I first got my job here at 2000 new information security because I'm old uh but 200 I tried to get a job at ernston Young and they want to hire me

because it's like I passed everything even the technical stuff to leave it back then and but I didn't have a high school uh diploma it's like I was a GD you know High School Dropout so and I didn't have any college so they're like I'm good enough for us so I'm heavy so we're to today okay CU why not it's like that's how I remember so we're going to go after e wine uh and see if I want I want to rob their building physically but how would I do that I need to find out information about them uh so now I to find out where they're at I decided to go after the New York office because

I actually went to one of their exing trainings one time in 2003 and they got really pissed off at me because I found vulnerability there in this squl server that was internet basing that shouldn't have been but that's another story that they don't allow me to tell but screw them again it's like what happened in New York so we're going to go out to the New York office and one of the things that always gets me is how people think per such it matter so much it's like cuz you see AR Young on the building right fancy it's like Ern young owns that building that's ER look you've seen The Avengers Tony Starks got his name on the

side of the building he's not the one collecting rent he doesn't make sure that the the the Starbucks is is doing all their job they're hiring the maintenance group well he's actually not doing anything now because he's kind of spooked it's like but still hash too soon it's like but still it's like he doesn't do any of that no one does that they have building management companies that handled that ernstein young thinks security is very important building management companies think selling office space is very important see that disconnect here so I want to go after the building management company they're originally titled you know it's like 5times Square which is where they're located so it's easy to find them uh and

one of the things that I love that they tell me it's like some of the things that you don't realize that information you're giving out that can be useful to someone trying to attack somebody like telling me where all your employees go to eat it's like you know like why does that matter just it's like that's not really where they go to eat oh my gosh yes that's exactly where they go to eat because they're good company workers it's like of course they're only going to go somewhere right within like a five 10 minute radius and stuff you know because they want to go be quick and go back to work and stuff you know cuz

they're team players so now you were showing me exactly where I can go to like you know set up some you know um L just wireless access points you know do some proc smart cloning it's like take some pictures and badges it's like if I ever did that things actually it's like uh but also where to send uh from where to send emails from saying hey you're a regular customer at our location here is a $5 gift coupon and stuff you know please feel free to Brint out this PDF uh for your $5 uh coupon it's like like yeah no F that F it's $5 I need an extra burrito it's like I'm pretty okay it's like you asked Bob accounting

how quick that works right it's like no if it's the Bobs or accounting people what they do it know it's like right so like that that would go right there but what else does it show you oh that's your hotel look at all the hotels that like why is that important because that's where all your Executives from out of town are staying and we all know how secure the Wi-Fi is at hotels right it's like locked down tight better than the Pentagon a saying much but still no it's like not a good thing it's like you know it's like that is not a good place to to be advertising um but you know what else

that I loved about this one because this one was special for me because you know p uh they provided the blueprints I love you can tell there's some actual physical red teamers here because they're like yeah they show me exactly where everything's located and and I love the way that they do the highlight I didn't make it blue and yellow you know for CR it's like they just did it that way already so yay um but it fits to the theme um but one of the things that I loved about it's like this is how they use M tricks like this is their Jedi M track because you see that highlighted Blue Area that's the street level lobby

but they want you to pay attention to that they like make it color like there's screw that noise it's like that whole Blue Area should be red cuz that's like they got Security in there it's like those guys are mean they pay them extra to me it's like they ask questions when you try to walk in and and go up into rob places I don't like that who likes that no it's like I look at the gray area that they're trying to scratch you from in the lower left hand corner which actually shows oh there's the loading dot there's the freight elevator there's the mail room there's the facilities I need to go to it's like and

the same thing in the other areas oh there's all the back doors right there on the left thank you it's like I have always when I'm breaking draw a highrise I I literally was robbing place in Boston and literally got the Shuan guy to get me into the loading dock so I can go right up the freight elevator the look on the guy who paid us his face when he came back from his meeting and found me in his chair was chefus it was amazing uh but all through the freight elevator but they didn't stop there they show you blueprints of all the floors now why is that important well for one thing it lets me become familiar

with the surroundings and when someone comes and questions you and say hey what are you doing here it's like oh I'm going down to the right and set be up by the conference room I electrical closet doing an audit and like oh okay they're more likely to let you go because why because down to the right by the conference center uh a conference area there's an electrical closet how would you know that unless you've been there project management company thank you it's like uh so yeah that's really great and you notice how they're still doing the Jedi line trip thing right but know that dark area here be Dr don't look here this is no nothing to see your

citizens uh but they still want to self space so they eventually uncensor it for you uh which I thought was adorable thank you uh so now you can see a very nice clear view of where the mailroom is and which way you're going to turn from the freight elevator it's like to get into the facility and also Resturant bar because like I drink a lot of di Pepsi and that's a good place to know too um yes that's perfect and the sc one of the scariest things was I can do this in your lobby it's like or a Panera Bread you know having pizza and D Pepsi on one of my little mini devices and I did this

other one was I was uh checking it out it's like in a hotel room in Stockholm it's like and I've got this uh little bitt computer like strapped on my side and my little e-holster because you know from Texas uh but it's like and the whole thing is is because when I'm in those lobbies and I'm in those places with equipment that doesn't look like a computer it's like I can start doing research and Recon lobbies should be just for getting people from the front registering them and sending them off but we put Starbucks there we put like little uh shops we put little cafes I'm like thank you you so much because now I

can spend hours just sitting there drinking my mtic no actually I don't like M but you know just drinking that and it's like and just tracking the foot traffic to see what people are wearing to see what security guards uh patterns are how attentive they are it's like checking all that out while I'm probably running a malicious attack LLY as well he you know play you know I'm bored it's like I got ADHD like everybody else in this industry it's like so yes so I'm going to be doing things like that so that was just one of the things you got to be careful about because you never know women attackers going to show up in

your area going like what can I do it's like why take down it's like uh that's their office right down by the Waterfront very beautiful building and their interior oh wait I I didn't go the interior I don't know anything about interior um but now let's go and look at some of the social stuff um got to hit the socials because you know it's like well Twitter still exist anyway we got to keep in them uh but here's it on Instagram I love that people talk about like how they go in and they they break into a network to do network discovery you're literally breaking into a network to see what devices are on the

network or what kind of Technologies they use look have you heard of linkon their job posting tells you exactly what technology they have the people that they currently have hired for positions telling you exactly what firewall they're using what antenna buyers they're using what Office Products what programming languages are using they're all telling you that and then you also have Instagram and stuff you know showing you where your employees are and what they're inside of their buildings look like as well and Al what happened there something happened there looks like something happened there it wasn't me yeah okay it's like but they're also showing what kind of devices they're using Lenovo uh laptops uh for this one

company which is like scary right now right it's like still hash uh but also they got Dell and some MacBooks and some iPhones it's like who doesn't it's like so they got all those devices So you you're already knowing what their architecture what kind of equipment they're using um but one of the other things the main reason why you use social media okay uh and I mean and also probably one of the main reasons why security people drink uh hash that's why we drink fellow I'm still loud can y'all still hear me yeah okay good epic I don't care set so no I'm huh huh oh I don't uh he stole it that guy right there with glasses

look how this he looking I said Baptist okay so one of the things that gets me is you look for hashtag new badge and you're like aorus Board of Sorrow because you see all these people posting their Badges and you got one guy over here it's like they're actually posting the keys to the building on and you're like why is that a big deal that remember when Department of Homeland Security decided to print all the uh show all the TSA Keys guess who's got all the 3D printed TSA keys do you really want me having the TSA keys to your luggage no it's like and remember that's the same government my government yay it's like that wants all your digital

Keys as well I'm sure they'll handle it way better than the luggage keys right yeah it's like when confronted by that department of momand security did the only thing that they could do logically uh they said well that wasn't really meant for security that was convenience so we're not going to change the lives because that c you know effort uh so I'm sure if that something happened the digital keys they would take responsibility for it um but I digress very ring today it's like so let's go and see what else because you look at all these badges you're like what are you going to do with those Jason I'll tell you they patiently I've got the badgy

100 the only way this could be cooler if it was called the badgy 3000 okay that is the only way cuz they're talking from taking a picture off of Instagram to printing a new bags with your name on it it's like 15 minutes and you're owning it and I and I love my detractors because you know they're adorable too and it's like and I love the ones they're like yeah Jason are are using approxim regulation calling into your no I don't put HIV on I I don't do the hit I don't do no I deliberately make sure that it doesn't because I don't need it because I'm going to walk up to the badge reader and I'm going to

be dressed nice and I'm going be

like look security hello I've got a meeting in five minutes it's like I need white guy in a suit hello hey what's used to having white privileg if you can't talk about how horrible this right it's likey and then you go open the door for you it's very nice of them I really appreciate it um it's like so yeah it's like I don't do the lockpicking thing because I'm not that great with it it's like I usually just get them to open the door it's much funner um now I want I want to ask a question with you it's like it's like do you think where you work is more secure from infiltration and compromise that EV event which

understands and is aware that people will try to rob it because I Through The Years believe it or not I told a few stories during my talks and if you haven't been one of the people that have gone like Jason that is total BS I'm surprised because that's what I say every time that it happens to me and I was there okay but I want to talk and I have a lot of people that talk about like how I'm not technical it's like I don't know how to program it's like I don't know any of the languages it's like I'm very pandle English okay I'm from Texas it's like so no I don't I don't do that it's

like but let's see how effective we can be doing a basic attack while walking in and see how that goes and I want y'all to make sure that you're timing and see how long it takes for me to walk into a branch that is currently closed it's like to getting uh a compromise and and compromising the first machine let's see how many minutes or hours it takes to do that one so here we go we're going to walk in here and I can't see the thing so we're not going to have sound but look at her she's amazing she is the star of this show because she knew I was sketchy AF as soon as I walked in did you see the

look on her face she knew I was troubled oh by the way 15 seconds if you were counting how long it took for me to walk in the front door to compromise the first machine the answer was 15 seconds uh here I am at 20 seconds the payload is executing it's slide 25 seconds is done and under 30 seconds I talk myed the first machine in the bank and then here she comes making her coming out of her way to come and stop me and question me another amazing thing that everyone should be doing and of course I tell her my assertive girls I'm doing USB on it what's what's what's USB all it I have

no idea but I do a lot of them okay every engagement and it's like and I'm not crumbling I'm not showing that I'm I'm I've been caught I'm actually being a thir going like I didn't you talk to headquarters can you talk to the manager I'm supposed to be here and she's like well you need to go talk to my manager another right thing that you're supposed to do I'm like sure I will talk to management but here's where she made the one mistake she goes and gets the attention and then I assure her that I'll Stand By and she can leave and she thought I was going to be honest so I immediately go in and I

switch to a pastor and I compromise to manager because the manager thinks that she vetted me she thinks the manager's going to vet me nobody Ved me so I'm just and I'm from Microsoft and trying to make the network faster look you could be on a t13 direct line from Bible to your desktop you ask someone hey is the network R slow yeah I think it is just a bit I'm here to make it past what do you need me I need network servers so I asked to go and see the I'm here to make the network faster people a serious business that's my trusted agent because once again it's an educational experience I don't want to get tackled

because I'm fragile my bruly but he's way too close because he can't freaking believe what's going on right now either uh and then I get the manager going this is from uh the National Geographic show this is unaired footage that Darren kit was nice enough to acquire somehow and so this is all unedited because I want you to think I tried to make it look cooler uh so sorry for the butt cam um but it's unedited this is the whole thing so we get to the data center it's got a nice uh secured uh lot panel that I did not know the PIN for like I think was son's birthday um but you know I wasn't looking because you

know and then he lets me into and I was like will you let me in here by myself I'll go get you a second and left me myself the one thing you came hear in the audible is the audible sigh of like cuz I want them to do well and it's like and this is not going good so but then I also realized that lady was freaking sharp as attack it's like she may now go talk to man you're like who was that guy so I was like I need to catch up with him he's my golden ticket it's like so I hurried up to catch up with him it's like no you're staying with me buddy like let's get

going now behind the T line cuz having a guy robbing and B you know being escorted by the manager behind the T line never is badly for people at least the robber so you know and here I go start compromising machines there that's fun now I have to say I I don't mean I I try not to lose my pool uh during the this one was really hard cuz I was so upset at the rudess I experienced here it's like on this next one this freaking ungrateful un very not nice employee had the audity to lock his workstation while I'm trying to rob him how rude but it's okay it's okay I got the manager to go get the employee

that was on break to come and unlock the computer for me um so that was good okay it's like I uh I'm so glad I kept my pool CU it's like that would have been messy it's but um yes I always uh cuz Lebanon is like you know like most countries around the world I speak more than one language and I tell people like I'm sorry I'm from America I only speak one language I'm from Texas I don't speak it very well uh and so I like to make jokes because it shows sound like very affable just very nice I'm a nice clber okay it's like I try to be polite now we're going to go where

the vault is and if you think that vault is the Big Shiny place you are mistaken this is the Vault and this is the most powerful employee in the bank this lady right here you know why she's doing the wire transfers for the company why would I go after a couple thousand dollars in a till when I can get wir the wire transfer of a couple of million you know so this way too intimidating right there I was J me to just you for the effect but there I go just and I also felt sort back as she was right in the middle of the water transfer hope I didn't messed up uh when to watch notepad and I did it

graciously I appreciate the help it's like I was like here's me but remember one important thing that I I said about me because I mean I'm honest it's like you know uh when I'm not you know being pick not to be uh I'm Petty so of course I had to go to the one lady who actually stopped me but this time I have the manager behind me and I had a compromise her machine too it's like I wanted to get 100% compromise the whole entire Branch that's my cover story I'm just Petty it's like I was just like you did a really great job lady is like you did everything bright except right there and

I and I literally I felt a little bit bad not bad enough not to do it it's like but I still felt a little bit bad uh you go all done it's like see I was polite I plugged it back in and then I go thank you I appreciate your help you know thank you Bas and this really was actually the on of what I said because I was literally like how the did that just happen so that is uh me robing the bank in eight minutes uh 100% it's like from first compromise for 50 seconds uh how many leak skills did I use during that what was my you know skills or M magical training that allowed mother

there was none there was nothing that I did that not one person in here couldn't walk don't do it okay especially don't get caught Jason told me I to do it but there is literally nothing that I did that any of y'all couldn't do it's like I used a a a a bunny script that I ducky script that I got a hat five and just edited the the notepad payload in not in their tool it's like and that was it if I wanted to actually do more of a payload do more of a I could have done that but I'm trying to be there as a teacher not as someone that's testing so when you hear all these

people talking about all these lead skills that they're understand it's like that may have been years of failures that got them to the point where they can do those things well it's like there is nothing stopping anyone in here from doing the same kind of thing okay it's like I mainly do my job through you know I have no shame and bad impulse control I mean those are the main qualifiers for my job it's like so if you got that and you're in this industry there's a good chance you got that it's like you can do these things don't make it like it's some something special the dark arts we should be opening up for more people to

do the stuff not trying to limit who can do what and intimidate from thinking that this stuff is something that not everybody can do and we're going to show another one and this is how once again I use people and perception I'm coming in from the public area I ignore the tellers at first but I stand here it's the lady on her phone behind me in the botom she doesn't see me but I'm hiding behind this column so the teller people can't see where I'm at I wait a several seconds and then I walk around from the private area like I was coming from that lady who was on her phone and I walk straight into the cover

line and I'm like I go to the very far end I say hello I make sure that they know that I'm initiating contact one of the best counter social engineering maneuvers you could ever do is going hey how you doing perfect because you're initiating conversation if you're trying to be a bad guy you're you're supposed to be hiding you're supposed to be avoiding contact I'm like hey I'm over here what you up to it's like no just Rob your stuff you know it's like I that one machine that I did first wasn't even plugged into a computer but I was establishing a pattern so then I go to her computer and I'm like yeah I'm doing

a USB audit again now this other lady she was working she ain't having me okay so I do you know classic bank rob 101 I spin in the chair uh until I can get a moment for her to like you know let me uh Rob her uh she's still not happy with me but I'm like hey I just want to do one thing you know you know compromise your system thank you it's like won't take much time it's like see that was painless for me and and see and when it's un undone she smiling I'm smiling everybody's smiling it's like I mean you don't have to be mean to rob people and then the lady that was on the phone I will inol

her as well uh just because you know thorough um and there we go what made that possible that column that is the only thing that made that engagement possible right then in there I would have had to come in from a totally different way or change my perception and and change my attack Vector if that column wasn't there because when I first walked in to teller saw me and they knew I was coming from the outside they knew I was not trusted because they don't know who I am they've never seen me before and hopefully you never see me again it's like and they're like yeah that's someone you know sketchy yeah he doesn't supposed to be

here but when I went around that column and I was there for a bit they're not even thinking it consciously but they're like oh you must be talking to someone over there I don't see him and then I'm coming from around the column like I had talked to them and so they're assuming oh he's from the private side now he's been vetted is totally cool and that it was just that simple and we don't see that's one of the things I love about being on SP it's like especially since I was young I've had to study human nature because normal people scare the out of me okay and so I had to learn what people looked like and

how what they were thinking and how they do stuff and stuff so I can mimic that and so I could like be that way so I wouldn't be you know too scary it's like that's the whole point is being able to look at Human Nature the stuff that they don't even realize people do it's like and try to make sure that I can capitalize off of it and Rob them with it cuz fine so after all that we can all assume that your company I said this all funnily and stuff you know it's like this funn is a word look at don't look at them it's like it's but seriously I had a 100% success rate on

every engagement I've been in for the last decade don't think that these people are stupid don't think that these people did something wrong they didn't know and they weren't trained and that's what I was there for I wasn't there to test their security I was there to teach them what an actual attack looks like so their understanding of it so yes that was fun to watch but trust me that could be anybody's company it's like they did some of those people did a really amazing job it's like but they made slight mistakes and that was what I was there to show so they could be educated next time it wasn't to make fun of them because I'm not attacking your

network with technology or OD days again I'm attacking your people using their perceptions and expectations to get in that's all what that's all most of my job is is trying to figure out how I can blend in and look like I belong there when I totally don't belong there here's a great example of that these two pictures were taken 24 hours apart they're a little bit different not too different but they're a little bit different but what is the big difference in this I don't have a jacket on look at there's no behind me I'm from Texas I am freezing my everything off right it is eing cold outside what kind of crazy person doesn't have a jacket on when they have

to walk Three City Blocks to the place where suppos to compromise well this kind of crazy person because you know why once I break in which spoiler alert I did it's like I'm now walking inside their private area without a jacket so what does that mean that means I must have already been there but I already put my jacket somewhere CU if I would have shown up in the Parker that I would like to have worn that would be really weird coming to your desk and I'm with it health desk like why do you still have your jacket on it's like you know it's worm in here that would be odd but since I didn't

have a jacket without them even thinking about it I'm assumed to be safe because obviously I put my jacket in my conference room or in my office obviously I've been there for a while or I would have a jacket on if I was coming from the outside so therefore I must be from the inside it's those simple things that we don't think about that I'm trying to attack and take advantage of and I use it through my what I like to call attack of fashion I us there's only three ways that I'll rob you okay it's like I use my assertive role my passive role and my what the Yola let's see if this works R

it's like uh we'll get to all um because in each one of those pictures I was robbing people it's like and I don't want anybody to think appropriation because I'm acting like I'm a homeless person I used to live behind the dumpster and I used to be homeless when I was a teenager so it's like I'm actually that was uh I was never that fan though and dress that nice uh or smell that good uh but I'm using it to hack because trust me no one looks at a homeless person no one pays attention to what's going on and and who the would have cardboard used to you know take a computer to to attack people as you're

walking by okay so we're going to start off with the assertive role it doesn't mean aggressive mostly sometimes I've been sort of aggressive but it was like in the first where I was being very s like hey I'm supposed to be here you knew the contact management I'm I'm supposed to be here you should have already talked to headquarters um the mannerisms are I'm official I may be a little off-putting I may be a little upset I may have jet lag always when my children's having a birthday it's like that I'm missing because I had to fly over here and had to do this audit so I'm just really you know attached um and the hardware though is way more limited

I'm only using like a small USB drive or I'm using some kind the small device because I don't I want it to fit in the suit that I'm wearing usually um but the suit that I'm wearing mother nice okay this is the business suit dud okay it's like fear it and tremble uh I had I used when I was allowed to go to China a long story um I one of the best things about it was I had a tayor Bine Peter amazing amazing man it's like he made all my suits and shirts and I love it when I was first talking to him about my suit cuz when I was talking to about what I

wanted to design he says like are you a magician and I'm like no Peter I'm not a magician you know why you can tell because Peter magicians always say look nothing up my sleeve and Peter didn't I specifically tell you to put pockets in my sleeves so I could put bash bunnies in it it's like you're asking Jason why do you have bash bun your sleeves cuz it's cool period that's it no I just wanted to be able to show that I had something about my sleeve that's I'm 12 okay so that's what I had that for and then also I like to dress fancy in s of world you know it's like I came from a poor

background so I'm always fancy right it's like look at that can you see the three hacking devices that are in this picture I mean come on the USB recorder pin is pretty obvious that watch believe it or not it's not a Rolex okay it's like I know think I'm walling like that but no uh that's a 16 gig USB hard drive that you can connect to a cable download 16 gigs a day which I'm sure wouldn't affect anybody's you know productivity uh and it's got also hide that video camera in it uh so that's nice but the best one is Peter also made all my shirts and he made them all French cuff and was like you want these all French

cuff like yes Peter I want to be fancy okay because I always thought wearing cufflinks make you fancy and they do I'm pretty classy AF and stuff you know when I'm wearing my my my fren C shirts my cool cuff links but these cuff links are the coolest since I can use them to rob you with because one of those is a wireless adapter that I plug into your server or CEO's desktop it's like and turn into a wireless access point and don't worry if you're using Mac or Windows or Linux and stuff uh the other uh cuff link has a two USB drive with all the wireless drivers that I can to install and may a

couple commanded and control payloads and some gifts that I'll leave on the server uh for myself to use as I'm then ha to you the rest of the time from the parking lot off my new access point into your internal network uh so fancy AF right uh here are some other devices and say my my Jack as you can tell it has sorry things but it's got pockets right isn't it amazing look at all those Pockets hey trust me I'm right there with you I don't know what is wrong with the Western culture that women can have pockets and men can't wear purses I love having purses and likees little backpacks we got to call

them tactical bags now because it makes it sound more manly for us we love wearing purses too okay uh so um you see all those devices guess how many devices in that lineup That I Used four maybe spot but it looks cool don't it you ever seen those movies where it's got the Assassins or the spies and they reveal that hidden wall or picture and it's got all those lines of guns and Bazookas and they go like here let grab this pist okay I got let's go I think that's a dor I love it right so I wanted to have a huge like these are all the devices that I could attack you with you

know if I was going to but I could not going to but scary right so yeah those are a whole bunch of things that you're supposed to be afraid of uh that I never use uh I use a bash bunny too I use a uh the rubber duck it's especially the new one was like scary good uh sharp Jack uh Wi-Fi pineapple screen crab and I use uh OMG cables uh USBC or you know lightning I I like I'm not trying I will exploit any operating system imately okay uh it's like so Apple Android I don't care it's like uh your M and so the next role is the passive role passive role doesn't mean I'm going

to be wimpy it's like I'm just look I'm just trying to do my job can you help me out I'm with the help desk it's I'm always coming with the help desk never go on an engagement as a plumber unless you know how to Plum okay CU you never know when you go into some place and they're like oh thank you watched away it back there for five hours we called you like you know 30 minutes ago we're so glad you showed up oh let me you're right too that right I always go in this help desk I used to be help Des once I was at a branch I was stuck there for over 40

minutes in for irregardless of the engagement 40 minutes doing tech support when they got me to try to start working on the printers I had enough I was like I lied to the guy and I said hey you know what I I didn't want to tell you this but we're really I'm here to do an audit because we're retrofitting and outfitting with all new equipment to all the branches and you're really great it's like and so I'm going put you on the list for first CU you guys are awesome and I'll never do that again because when the engagement was over and I had to explained to everybody what was going on the bank manager great th this

wonderful old soul raised his hand like he was in class and I'm like yes then he's like um but we're we're still getting computers and Equipment right and I'm like no I lie I love bad guy we met it's like it's like I mean I brought people in a wheelchair before it's like I'm a bad person when I hey remember the kittens okay it's like I've already established my moral fiber as someone who is trying to rob you okay I don't know why people get upset about what level people are riding people with guns it's like I'm trying to do it with a smile okay it's like I got be a little bit here it's like so that's what I try

to the tech the the gear that I use is much more diverse because you know people are and I've literally been on the where I said I it's a techy thingy or something or other it's I to do something Wii stand they're like okay sounds cool that's what a nerd would say and I'm like I am a nerd it's like I'm not BL with that um this is what I'm usually wearing I always like to come with warning labels uh yes that shirt does say hacker yes I used it to Rob hotel in Malaysia and several other uh research facilities and gu the other shirt does say your company's computer Val which I brought the financial

institution off the uh in uh uh right Fross the street from ground zero in Manhattan uh so and that is a fake Microsoft badge again because you know I like K the Microsoft thank you guys um and that's the old badge that is the old Microsoft badge don't be trying to come up here and go like yeah Jason but don't they have a new bch yes and I've got a copy of it but it's not as fun as using the old one and still getting away with it okay It's like because you know 12 and here is the clipboard of Doom notice the theme it's like so with the clipboard of Doom it's also got a little

side container it's got some devices yes I've used The Bash money uh that says victim on it and had to explain it to someone when someone questioned me because I like to come with warning labels but here is one of the other scariest tools that I've used on my engagements and I'm not talking about those two awesome OMG cables that are micro computers disguised as charging cables which are really really good at robbing people with no I'm talking about the even more intimidating one the envelopes with a red marker there is nothing more effective to compromise a company than walking through a secure area Okay seeing someone's office or cubicle in but you can see their name on their

little badge inside their door so you walk on in grab a delicious USB drive put it in the envelope you know see it nice and tight write their name on it leave it on their desk and walk away who the is not going to their desk sing an envelope with their name on it and a USB drive on inside and not plugging that into their computer horrible I know it's like I thought of it myself I'm so proud it's like it's diabolic uh kittens um some of the other devices I'm using is like you know the Wi-Fi pineapple I got the prox smart card that I've never used let's be honest it's like I don't use I don't

plung cards it's like it's cool and all the cool guys that can do all really cool you know cloning and it's like it's like more power to you but it's like I just never needed it it's like I'm sure eventually when I get to the point where I have to actually you know adult for a living it's like I'm might do that but I doubt it uh and then there's so of the other tools that that I might use in there one of the things I like is when it says pum on it is for it's like that is a screencraft it's like you plug that in to the HT mind uh to usually the

executives because you know you're still using CRT or DV or something right it's like but the executives they got the HDMI monitors but because they class it right it's like so you plug that in one end goes into the monitor the other end goes into the computer it's like from both ends of that device and what does that do oh it records everything it sees on the screen your your C I'm sure not looking at any kind of emails that may be sensitive or information that they may not want the public to see because look it's being broadcasted wirelessly to my computer it's like in my van in the parking lot maybe not a van that's like

you know you [ __ ] and scary it's like but you know my my Honda cic it's like in in the parking L I'm on a budget it's like so now the next one and I'm embarrassed about how many times I've actually had to use this um this should not be your first choice but in certain situations I'm faced with like I don't know what kind of pretext it's going to get me into this place and so I'm like yellow let's see if I can f being a TV producer and break into a financial place in Jamaica sport alert the answer is yes it's like or break into a hotel as a drunk customer whose Barefoot teage

Ninja Turtle pajama bottoms uh in the south of France spoiler alert that's me after I broke into a palacial hotel in the south of France Barefoot te the CH pajama Bobs the best part about it is that picture that you're seeing on the right that's not from the hotel I robbed that's the dunk they put me in because they couldn't afford keep me in their hotel for the whole engagement they can only afford in the off seon for me to be there for one night to do the physical part of the engagement that's how expensive it was it's like it was very exclusive and it wasn't in KH it's like you know or you know where like the the the the Newbie

rich people go it was like in Jean Kat frat where like you know you don't know about because that's where like the people have votes on their boats with a helicopter right it's like that's the fun stuff um that's the DP put me if it was amazing time it's like um and I'm only using you know like a small Rubber Ducky on that it's like I'm using like the pin video thing it's like because the fact it's like I I I don't know what the situation is going to make it I've gone in as a tourist it's like when you're when you're definitely going somewhere especially in Asia it's like when I broke into places

like that it sh shame is a very big thing that you should never manipulate people with but on their part but yes I have acted like I feed my pants and and went to a security guard and was like I problem can I and he immediately let me into the private area so I could get in the restroom and say face and stuff you I was very thoughtful for that uh he was not thoughtful after he realized all the other stuff that I did once seemed left to be un intended uh but still Yes it's crazy but is it really crazy if it works yes but it worked uh and so just remember it's like

if you do find a way in if I do find a way in and trust me I usually do U I love the picture on the right it's my favorite because I can't do this stuff anymore but that's me climbing seven stories above neosia Cyprus uh coming out of a window that was like a straight drop down going around to an air vent that was going this way when it should have gone this way and climbing up over it and bypass all the surveillance cameras to show that I could get into their server room on the roof because they they didn't think they able to get in from that way and so that's why they

had class windows with just you know drywall protecting it uh and when I got to the top I mean the guy who said I couldn't do it who was holding my jacket take the picture um but yeah I will find a way in so make sure your employees know how to respond once I'm there now let's end it with the final myth and one of the biggest m security awareness in its current form is working total total BS you know why we suck at doing security awareness why are we trying to teach our users all these little 9o little things so they can do their internet web only you know 10 question thing every six

months and multiple choice and go can client but that's not working how many people in your company realize that one of their job responsibilities is to protect the equipment that they are given oh never heard it said like that Jason you should have because that's what it is an employee will do everything that is required for them to stay employed and successfully feed and clothe themselves and their their partners and their family not an ioda less or more more it's like BL a lot less it's like not Iota more okay and that's the problem information security is making security like it's an add-on like it's something that's an afterthought or something that they don't really have to worry

about if you have a company that uses an employees delivery drivers on the first day of their job you give them the car keys and go we hired you you know what you're doing here's the keys have fun here's your rout no mother they got a $60,000 piece of equipment and rool they've got liability to the public you're making sure they know that they have to use the turn signals you're making sure that they know that there's a safety belt that has to be used at all time you got their number on the back of their band knowing that they're going to get knocked out as soon as they make a wrong turn somewhere you've got them understanding

and if they get in a traffic accident it's like are they getting a slap on the wrist while that van is getting buffed out and G a new van oh no if they wreck that van three times and total it are they still employed in your company I doubt it but we give our employees a piece of equipment and just go knock yourself out they get to make a mistake on that equipment and jeopardize the security of the company like oh okay rent restage this it's like that don't do this next time but if you're that worried about a $60,000 piece of equipment why aren't you worried about a person clicking on an email and costing you $350 million I'm

looking at you tet it's like why not that's costing you $350 million that's a lot of fans I mean I'm not good at math but that's a lot6 yeah I'm not doing it's like yeah it's like but that's the equipment that laptop is the equipment that they're responsible for securing that they're responsible for taking care of it the only problem is not that they don't want to do it is that you haven't shown them that that's one of their responsibilities huh I figur8 check the 8 oh okay it's like have show me up my bad mascul 58 man it's like I can't that off my head or his head there we go so there we go so but seriously if you

start showing them from the first day that they're employed that that's part of their responsibility they're not going to like it but they're going to do it just like they know not to go to like you know certain bad places on the internet while they're on the company equipment they'll know not to click on unsuspicious links or go to unsuspecting websites they're not familiar with because that's also the policy that's also enforced because we need to educate our employees not on the dos and don'ts of spear fishing or surfing we need to educate them on the fact that one of their roles is that they're a member of the security team they are part of

information security they're not above it or beneath it or beside they are a part of the team and you better e think start treating them like they're part of your team they're not a liability they're the best human but here you're going to go through another 30 minute class on information security on the policies and practices and how you can be better aware of how these fishing attacks happen and how to be more cautious with them they do it again for the second time you're going okay we're going to write this one up you're now in a separate group where all your emails are being quarantined and you have to whitelist all the emails you want for the next six months so you

can understand what kind of emails are coming into your environment and which ones you need to to be clear up that sucks yeah so does losing $350 million okay on the third time bye see you later it's like I'm not going to let because I'm not going to let you consistently jeopardize my employment and all your co-workers employment because you like to click Willy Milly and also you need to interact with your employees when things aren't on fire when I used to work on a gang task force I met everybody on the worst possible day of their life something horrible happened to them and I show up I show up something horrible is about to

happen to them it's always the worst possible day it's like not much has changed actually now my new but still it doesn't matter so yes it's like so you need as an information security refes you need to make sure that you're communicating with uh your employees telling them hey there's a new iOS update you know it's a good it's got a lot of security fures hey there's a new Emoji set too but you need to do an update on your iPhone oh there's a new a warning out make sure your your systems are updated hey we're going to do a lunch and learn about how to protect your kids online you know with uh the different social medias and

how to check the privacy settings on the Snapchats and the Tik toks and the the whatever things out there now you know it's like we're going to show you how to do those things we're going to be accessible to you because we're not there to make look like you're doing something bad we're there to help you stay employed and protect the company when you approach it like that like they're part of the team and you're there to help them instead of looking for them when they do something wrong this is going to freak you out but they start talking to you I know I hate social contact too but it's like but it's it but you do it for the public

good you know you're doing it for the the good of the team it's like you need to interact and be positive with

them I think I'm lying I'm done thank you

yes so around creating awareness in every employee and hold hold that really love okay right so obviously you're trying to encourage that every person has a sense of awareness so that when anything feels off they respond raise that flag it but a lot of the new approaches completely confiscate what things should set us off right companies are using in tune they're pushing updates you all of the security things happen behind a system that you have no awareness of what do you think of that is that is that good for us is it bad what's the balance I think one of the things is we need to learn how to not talk to user we are very good at explaining to people

very technical things and a way more technical complicated thing that is necessary it's like you want to get someone interested in how they need to why they need to be uh secured with your vehicles how many people here don't lock their cars because it's such a safe neighborhood right exactly exactly and so you explain to them do you keep your car in line when you go to the grocery store because you're only going to be there for 5 minutes no so why do you not lock your workstation when you're going to be gone from it it's like do you allow every person that wants to stop you on the street and try to sell you something or talk you do you

engage with every single one of those people not hardly it's like so why are you doing that when they send you emails it's like equated the ways that they can relate to and they can understand it's not their job to understand you it is your job to say in ways that they can understand and that they can be useful it's like M you talking Tech and talking you know really sounding smart helps no one if they can't get anything from it it's like all you did was waste your time it's like so we need to be able to communicate with them and not just show them like why it's technically s we show them hey this is why we're doing

this stuff because this is just basic security you're not going to leave your stuff out on the street you're not going to leave yourself unsecured why do you do that to the equipment why would you do that to your computer it's like so we need to show them that way and learn how to communicate with them better it's like it's not on them uh to learn it it's to us to communicate it better any other questions yes oh by the way I'm not really screaming at you it's like I know I get very Ry I'm like you know trust me I'm screaming at everybody here informational security it's like it's it's a group group session uh Jason

um just thank you for the talk it's actually good to see the the footage after yet the St put everything together uh from your experience uh do you think it's a good idea to incentivize employees um oh my God yes it's like uh that's a whole other talk it's like it actually not working but uh it's called gamification and that is priceless the one thing that you can take away right now that that you should be doing is going to your management and saying I want you know 2,000 Rand it's like or 5,000 Rand every quarter to give away and a gift card or some kind of gift card I want to be able to give

$5,000 or a 5,000 Grand away every quarter and then what you do is you have a raffle system you found a suspicious email you get a ticket to the raffle not like a physical but you get like entri into the to the raffle it's like hey you blocked someone from walking in because they didn't have a badge you took them to security and reported you just got 20 in right there you reported a a fishing email that turned out to be an actual fishing email for a test M you just got 20 rappid tickets to get inside your toost is always going to be the same 5,000 Grand but I guarantee you the participation is going to increase every

quarter because trust me there will be people going like I don't really care about I want 5,000 Mar there was a lady in the United States who reported uh suspicious email from a coworker and she was like 20 minutes later Security's at her desk and you're like why did you report this why did you think was suspicious she thinks she's like totally the bust right she's freaking them out like okay okay I'm sorry it's like but tomorrow is the deadline and it's like I didn't have any entries and like and he never usually sends me emails and it's like and he's not supposed to it's I just never got so I thought maybe this would qualif if I

am I in trouble or something his machine had been compromised for over 3 weeks they were doing a pivot attack and trying to a Prett good escalation into the network further and she stopped that uh she won the Wrath can't you're Wonder it's like they didn't do a drawing that for her it was hers it's like and it was not because she was being security conscious but she knew what to look for because there was something in it for her do a game for your employees you have a problem with employees aren't actually checking badges when they're going in have a game called where's Waldo every quarter what that means is you grab an employee

random and you take them in and you tell them here's your badge it's got the same controls it's got your same name but instead of your picture on there it's Waldo and then they have to use it and just stay cool and just use it and whoever stops them and spots Waldo gets money and if they go the whole quarter without getting caught they get the money so that way you don't have them colluding with employees trying to get how you do it it's like there literally social engineering your employees to be better at protecting against social engineering it's like trust me it works it's like so yeah that's what that's about so gamification is a perfect thing

to do it's like make it a positive experience instead of just like a quarterly you know multiple choice question it's like that is boring AF and that you can us should back out of and like take the qu again like oh I passed yay any other questions everybody wants to get out of here and I totally agree uh one more person and then I'm gonna out of the M oh my God I am like extremely late I apologize in I me I'm always late on this because I just talk too much but last one and then y'all can go get prizes and drinks and stuff because I'm the mother that's keeping you from in your tests have you ever

used a letter to get into an area not supposed to uh have I ever used a um in that one picture which was really cool is I actually used the uh there we go be there I used the anti ladder uh cage around the ladder to climb up on the building I found a a pallet right by the dumpster familiar with dumpsters uh and it's like you so I dragged it over used that as the first part of the ladder and then I jumped up onto the outer ring of the antil climbing ladder device thing and then I just used that and the brackets that was into the wall as my ladder to climb all

the way up money well spent uh so uh I've never really used an actual ladder ladder uh that I brought with me because I'm cheap and it's like they're heavy and they'll probably still relide uh so look up in 2017 Super Bowl three teams with a ladder and you'll see three teenagers 5,000 uh Law Enforcement Officers Secret Service National Guard at the Super Bowl in Houston because the vice president was in attendance and three teenagers found a hole in the link of vents got in found the ladder and they all had the brilliant idea like let's all carry the ladder together and see where they they got everywhere they got into like on the on

the near the field they got into the little um bunker I don't do sports ball in the bunker area where the players go it's like locker room it's like they got it to the stands they got to meet gu Ferrari so you get punishment I guess it's like they got to meet all the stuff and all because they were holding an ethic matter and they youtubed it so you can actually watch how they do it so don't tell me this takes skill or this takes some kind of like you know gate I hate gatekeeping we're hackers EIC G jump the fence go under the fence go around the fence don't I'm not the one telling you how to do it just do it so

that's how you got to realize it's not that hard because you're going against human nature and human nature is easy to manipulate once you realize what the the rules are okay now I'm done bye thank

you that kind thank you very much