Darknet Diaries - 66: freakyclown
Episode Date: May 26, 2020Freakyclown is a physical penetration tester. His job is to break into buildings to test the security of the building. In this episode we hear stories of some of these missions he’s been on....Thanks to Freakyclown for coming on the show and telling your story.SponsorsThis episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.This episode was sponsored by Molekule, a new air purifier that completely destroys air pollutants to help you breath easier. https://molekule.com.
Transcript
Discussion (0)
Well, let's start with what's your name and what are you known for?
Okay, so my name is FC.
My hacker alias is FreakyCloud.
I'm known for being the co-founder and co-CEO of Sygenta, a cybersecurity company here in the UK.
I've been in the industry for 20 mumble years, and I've done a lot of hacking, a lot of social engineering, physical assessments, that kind of thing.
I was half expecting you to say I'm known as the guy who breaks into banks.
Yes, I do rob rather a lot of banks.
Probably more than anyone in history, if I'm going to be honest, actually.
Quite a lot.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers,
addresses, family members, where you work, what kind of car you drive. It's endless.
And it's not a fair fight. But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes
personal information from hundreds of data brokers' websites and continuously works to
keep it off. Data brokers hate them because delete me
make sure your personal profile is no longer theirs to sell. I tried it and they immediately
got busy scouring the internet for my name and gave me reports on what they found. And then they
got busy deleting things. It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for delete me now at
a special discount for Dr. Dyer's listeners today get 20% off your Delete Me plan when you go to
joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to
get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. Use code Darknet at checkout. That's join, delete me.com slash Darknet Diaries.
Use code Darknet.
Support for this show comes from Black Hills Information Security. This is a company that
does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security
world-class in security training.
You can learn things like penetration testing, securing the cloud,
breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your
skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com
to learn more about what services they offer and find links to their webcasts to get some
world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com, blackhillsinfosec.com.
As you heard, today we're going to hear a story from FC.
That's his name, FC.
But over time, he's taken on the name Freaky Clown as well.
Now, FC, or Freaky Clown, grew up in England.
He sort of raised himself.
His family just wasn't around.
You could say it was dysfunctional.
Grew up in an area which didn't even have a village name, right?
It was in between two villages.
It was two miles either way before you got to anywhere.
Computers were my only communication with anyone that had any real sense.
You know, my parents were around, but not talking to me.
You know, computers parents were around, but not talking to me. You know, computers became my
life. They were the only thing I knew and the only thing I interacted with for many years.
So it became a passion. It's a part of me. And I can't, I can't ever imagine my life without
computers because of that. He borrowed computers from friends at first and then saved up enough
to get his own. He had the opportunity to go to college, so he went, at first studying auto mechanics,
and then he got into science.
But along the way, he realized he was really good at computers
and sort of shifted to an IT job in his early 20s.
I was working as a sysadmin at the time, doing some security stuff as well,
because they always cross over.
When the company that I was working for was going under,
the guy he ran it was a terrible person in general, actually,
but he was terrible at running a company.
And so when he started to go downhill, he kind of went off the rails a bit
and he started blaming everyone else for it.
This didn't make sense to FC, but the owner was blaming a bunch of different people for
things that they did, which was why the company was going out of business.
It seemed obvious the owner was trying to find a scapegoat.
So he accused me of wiping a PC of data that he had loaned to an employee who had given it back and so he actually called
the police on me and said he has done all this stuff and he's hacked all this stuff and wiped
all this stuff and it was just part of my job to like wipe it clean because why would we want any
of their data on it um it was it was part of the policies and procedures that we had so he i don't know what he was
expecting to happen there i remember the the police phoned me up and said we want to arrest you which
is very weird and so they said can you come down to the station so i went down to the police station
um and they said oh have you got a lawyer i said no they said well go away get a lawyer and come
back and then we can arrest you.
So I'm like, OK, this isn't this isn't going how it normally looks like in the movies.
Right.
So I go back with a lawyer.
We talk about it.
They officially arrest me.
And yeah, it's a little bit scary because they were looking through the computer system and they didn't have the crime that they of saying that i did on the computer system so what they did
was they they looked up and they're like okay we'll just put it under attempted murder and just
put a note saying it's actually about computers now now at that point i started to get very
worried and so did my lawyer in fact and but there's nothing else we could do
and just went through the ringer for like six months, a year almost.
And thankfully, all the charges were dropped and the case sort of got thrown out, basically.
But it really did make me see like, you know, it's very easy to cross that line if you don't know what you're doing.
But because I had completely always stayed within the law,
I had no problems there.
After this sysadmin job fell apart,
he got a new job doing sysadmin work again,
but with a different company,
this time with a little bit more focus on security.
And here he learned a lot about how to make computers secure or insecure.
And the security side of things really interested him.
So he quit that job and became a full-on penetration tester for an information security company, and this is
where clients would hire him to come and try to break into their place or steal things or get
access to stuff that he shouldn't be able to get access to. This typically involves a lot of social
engineering, calling people on the phone and lying to them to get info or posing as someone else to get access.
One day he got assigned to do a physical penetration test on a bank.
So my first engagement with the actual bank was absolutely terrifying.
It was a massive building in London and it it's not a normal bank, right?
It's not a normal high street bank.
This is an international bank that does finance stuff with other international banks.
All they do is shift vast amounts of money.
This one in particular had a gold bullion vault.
And the client came to us and said, look, can you break in and maybe steal a bar of gold?
Well, that's an ambitious
subjective, to grab a gold bar from within this bank and to get it out. But by that point, Freaky
Clown had already done many physical penetration tests, where he's paid to test the physical
security of a building to see if he can break in and gain access to stuff he shouldn't be allowed
to. So he's confident in himself and has a variety of tricks and skills he can use to bypass weak security.
And now this bank has asked him to rob them.
So I'm like, okay, that sounds interesting.
Let's do it.
First, he does some reconnaissance.
He wants to go down to this bank
to see what security is like.
But instead of going down during the day,
he waits until two o'clock in the morning to go down
there and the reason why he's going so late is because maybe he can tug on a few doors to see
if any of them were left open and there might be a back service door or a window left open or
something so he just goes down to take a look so he drives to this bank which is right in the middle
of london walks up to the building i'm'm wearing sort of, you know, sort of dark clothes
and I'm mesmerized by this building, right?
I'm just looking at it like,
holy crap, this place looks like Fort Knox,
but worse, right?
So I'm like, oh my God,
how am I going to break into this place?
And I stood there just completely mesmerized
for like ages.
When I hear someone from behind me
sort of like give a cough, like,
like sort of, like so yeah just interrupting
me and i'm still mesmerized with burden so i'm like what he's like excuse me mate uh what are
you doing i'm like well i'm trying to work out how to break into this bank and then i turn around
and see the two policemen that have just asked me this question. And it was like, oh, hang on, let me explain my job right now
because this is going to go really sideways.
He had to spend the next hour explaining to the police what he does.
And there were a few phone calls that were made to confirm his story too.
But eventually they let him on his way.
Freaky Clown knew this night was ruined,
so he left and came back the next day, this time in broad daylight. but eventually they let him on his way. Freaky Clown knew this night was ruined,
so he left and came back the next day,
this time in broad daylight.
The nightguards were on to him,
so he had to try a new approach.
This particular bank had just spent a million British pounds upgrading the security on the front of this building.
It was absolutely airtight in every way.
He literally could not make any progress coming through the front.
But this isn't a regular bank where customers are just walking in off the street.
This is more of a business-to-business kind of bank,
where there aren't any tellers at all,
and nobody's in the lobby except for security guards.
So if you go through the front door,
there's no place to go if you don't have the right access.
So the front was just not going to be the way in.
But in the back was a service entrance
that didn't get the same security upgrades.
FC figured out a way around back.
You got past some restricted areas and into the building.
So I managed to get in through the back of this building.
And I got onto this floor where
the security vault was where the gold bullion stored and i thought it'd be like super secure
right you're expecting guards with guns or something but um i just walked up and the vault
was like just open they just leave it open during the day because they need to get in and out right
so they only shut it up at night so if you're in there during the day you just walk in and then i picked up a gold bar and believe me they are
really heavy they're nothing like you see in the movies um like yeah i wasn't going to carry two
outlets put it that way he picks one gold bar up and puts it in his backpack some major progress
here but now he's got to get out of the building because if he gets
caught, security wins. But if he can get out with a gold bar in his backpack, he wins. Now keep in
mind, this is a place that customers don't get to walk around in. And there's this massive security
at the front door. So if you're seen in the building, chances are people are going to think
you're supposed to be there.
I don't tend to get nervous around things like this, right?
It always happens after the fact.
So in the wash-up calls or the wash-up meetings later, I'm just dripping with sweat and looking like a homeless person, right?
But during the test, it's just I switch off and I do the job, right?
So I get this gold bar and I'm like cool i've got the gold bar and i put
it in my backpack and i go down two flights of stairs and i'm going to the exit and i'm at any
moment i'm expecting someone to jump on me but nobody is giving uh like any glance at me i'm so
i'm just walking out of the building i hit the exit button i go through the turnstile and that's it i'm out on
the street it it was honestly that easy it sounds incredible but that's what it was wow he did it
he robbed the bank it's an odd thing um yeah i i just went around the corner i called the client
said i've got got the all of the uh things that we need to get done and so let's meet
up in the lobby and then we'll go through it all so it's not like it was in my possession for a
long time it was like maybe 10 15 minutes at most um but the feeling i get when i when i achieve all
of the goals that a client sets out is is kind of like a bit of ambivalence really it's like well i knew that was going to happen
uh because that's that's what we do right it's our job is to to go in and get it and
the trouble with a lot of social engineering is you're almost always going to succeed right so
i've been doing this for a long time and apart from two issues and with clients screwing up things, I've got 100% record of doing this. And it's not
because I'm like this super amazing social engineer. It's just that's the way it goes,
right? You only have to slip in. You only have to like get in once. It's really not that difficult
to do if you've got the time and the patience to do it.
We're going to take a short break, but stay with us because coming up, more bank robbery stories.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily, taking action on your company's exposure is more important than ever. I recently visited spycloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their
disposal, from credentials to cookies to PII. Knowing what's putting you and your organization
at risk and what to remediate is critical for protecting you and your users from account
takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure
from third-party breaches, successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
Freaky Clown sort of loves these weird missions.
And who wouldn't, right?
This is exciting work.
But there's one physical penetration test that he'll never forget.
Yeah, so we had a hospital, actually, fairly new.
They had just built a helipad at their hospital,
and they wanted to know if it was secure, right?
So they called us up and they said,
can you steal a helicopter for us?
And I'm like, I'll give it a shot.
Why not?
Well, a helicopter? This this is gonna be good but it's not just about the helicopter the helipad itself is what really should be secure the hospital wanted
to make sure that there was no access to this by anyone other than who was supposed to be using it
they don't want some drugged up patient accidentally wandering onto the helipad and getting hurt or some bad actor out there
Sabotaging it or some hooligans doing something else. I go to this hospital. I spend like a one night
recon
You know freaking myself out in in medicine places under under the hospital like we got into some tunnels and stuff
There are certain areas of a hospital right that when you do a hospital test
you're you're not allowed to go right you're not allowed to go into the children's wards you're not
allowed to go into the maternity wards you're not allowed to go into surgery but everywhere else is
basically free free sort of rain right um but there are certain areas that are restricted to
hospital staff so what you have to do is look at the the maps and the the great
thing about most hospitals is they have like massive public access areas right so you can
just wander around and pretend you're a patient and then there's loads of like fire marshal maps
around so once you study those you can kind of work out the areas that you're allowed to go in
and the areas that you're not allowed to and once you figure out the areas you're not allowed into it's very easy to sort of
steal scrubs for example once you get that sort of almost uniform then you can you can tailgate
people into the areas that you probably shouldn't and a lot of doctors and nurses they do a fantastic
job and they're massively overworked they are not thinking about security and they're especially not thinking about some some guy trying to break in right so
tailgate your way into these areas look around a bit eventually you find the areas where um they
they only have very restricted staff and that's where it becomes a little bit more difficult
because it's not general purpose medical staff that have access to these areas.
There's only very specific people.
So you have to work out where those areas are and then figure out a way to get in.
Cool. This is some good recon.
Maps of the building, scrubs.
He knows where the helipad is, but it's not publicly accessible.
He thinks he now has a good idea of where he needs to go the next day.
So day one is over.
Went back to my hotel room.
Weirdly tripped over something in the night and hurt my foot.
Specifically, his toe hurt a lot.
He tried to sleep the pain away, but in the morning, his toe still hurt a lot.
He's hoping it'll just go away because after all, he's got a helicopter to steal today
and there's no time for a hurt foot to be slowing him down.
So he goes back to the hospital, but now he knows exactly where to go to try to get to the helipad.
He gets to the door that he thinks will lead him there, but the door is locked.
He doesn't have a key and he doesn't think it's safe enough to try to pick the lock.
So he does a different trick and one of the ways i
got into the area that i needed to was i used a pen right so what you do is if you want access
to a door and no one's around and and you're you want to tailgate through it right and you don't
have any other kit to bypass the RFID reader or whatever,
you place a large pen up against the door jamb, right?
So the crack between the door and the door jamb itself, right?
And then you walk away.
So when someone comes through the door, the pen falls into the gap,
and then it stops the door from shutting again, right?
And so that's the trick that I used to get to the area that led me up to the helipad so i used this gigantic pen put it up against the the gap of the door
someone came through a couple of minutes later door didn't shut i went up to it opened it walk
through so it's really nice simple trick right so i go i'm going up the stairs towards the helipad
and i suddenly realized i've
other than being told the model of it i know nothing about helicopters so i phone my friend
a colleague at work and i'm like hey dude i need to know how to get into this make a model of
helicopter right and i i swear to god i have never had a moment that has been more uh more like the
matrix than this moment right where i'm running up to the
stairs and i'm like asking how to get into this helicopter just just like trinity does right
and so uh we get up under the helipad and there's no helicopter it's literally just not there so i
phoned the client and he's like oh my god i didn't think you'd actually get there
um we haven't actually taken delivery of the helicopter yet.
So it's like, oh, great. Thanks.
Well, that's over then.
Oh, this almost seems like a mission from Grand Theft Auto.
But it seems like this was a success, even though he didn't actually steal a helicopter.
So my toe, I'd hurt my toe overnight.
And it's been getting more and more painful throughout this test right and you do a lot of running when you're doing
social engineering tests running up and down stairs and running through corridors or whatever
running away from security guards um but my toe was absolutely killing me and so when the client
after i'd spoken to him about the missing helicopter he's like okay let's come up to my
office um which is up this massive hill and so do you mind if I don't because my foot really hurts
so he was like okay I'll meet you at the hospital so he came down to the hospital and uh it's like
how's your foot it's absolutely throbbing so he has a look at it and he's like I think you've
broken your toe and I'm like what so he escortsorts me to where the A&E entrance is, right?
So our emergency room section of the hospital.
And I go into the emergency room and I have to wait for a bit and then go and get x-rays.
And it turns out I had actually broken my toe, which is annoying.
But what was funny was a lot of the staff then knew that I was there for doing this attack, right?
Because the word had already got round.
And so they were actually really cautious with me because they thought this was actually part of the assessment.
And I'm like, I am not going to break my own toe to get into somewhere I shouldn't.
There's some lines that I just won't cross.
And destroying myself to do that is one of them.
So he had his foot treated at the very hospital that he broke into.
Crazy.
He did penetration testing for that company for a number of years.
And it wasn't always physical penetration testing.
Often he would find computer vulnerabilities on the network too,
which made him get better and better at hacking into computers.
Over and over, he was given the green light to try to hack into a company, and many times he found something which got him access to data
that he shouldn't have access to.
So with all this practice, he was getting really good
at offensive hacking and breaking access to. So with all this practice, he was getting really good at offensive hacking
and breaking into buildings.
After a while,
he was able to get a job at Raytheon,
which is a research and manufacturing company
that develops technologies
like aircraft engines, avionics,
yeah, cybersecurity software too.
Based out of the US,
but they have a UK contingent over here. FC joined their team.
His job was head of offensive cyber research. So basically Raytheon are a kinetic company.
They're the people that build things that fall from things or get shot from things.
And they have a offensive cyber capability, as do many other
defense firms. He wasn't willing to go into any details about what he did at Raytheon as head of
offensive cyber research. But just judging by that name alone, offensive cyber research,
it seems like Raytheon is possibly building cyber weapons, like maybe a vulnerability or some
software to attack an enemy with. Let's not forget, they also make missiles and other kinetic weapons
for the U.S. government and other governments. And let's also keep in mind that places like NSA
and U.S. Cyber Command carry out cyber attacks all the time. So yeah, I guess there is a market
for this. And I guess it makes sense that Raytheon might be building cyber weapons too.
At the very least, I can imagine Raytheon is pretty well equipped to build software to
exploit airplane systems, right? Since aviation is one of their specialties.
They're very entwined, obviously, with governments all around the world,
like foreign and domestic ones, right?
So that's very much part of my life.
Hmm. I think I see where this is going.
I'm just now connecting the dots here.
FC was doing offensive cyber research at Raytheon.
Raytheon's biggest customers are governments,
which he said became a big part of his world.
So did you work for any of the intelligence agencies of the UK, though?
I can't comment on that, obviously.
Okay, fine.
I won't push on this anymore.
But what seems obvious to me is that the tech and infosec experience he was getting was some top level stuff.
Working with a massive defense prime is phenomenal.
You have everything you ever need
the trouble is it is wrapped up in red red tape um and whilst i know that the work that i did
with them was you know it was really beneficial to a lot of people saved a lot of lives saved a lot of uh things happening um took a lot of drugs off the street
like all of the good things right i know that i did all that i knew that when i was in that role
i was serving a lot of good things however it wasn't what was in my heart i wanted to go out
and do more things that would help more people and help
the nation as a whole, right? Help the nation of the UK and others just improve their security,
because it's all well and good spending loads of time building these things that help in an
offensive manner or defensive manner, but it's all for naught if the whole country isn't good so he quit his job
at raytheon him and his wife started a new company called sygenta which is a cyber security company
so we we built this this uh phenomenal company it's global um and we do a ton of outreach right
so this is the big thing for me is it really reaches back into my childhood. I had no one there to guide me,
no one to tell me what was a good thing to be doing, no one to sort of give me that moral
compass. I had to find that myself. And so we see, we just released stats today, actually,
we have seen over 6,000 children face to face this year alone. Actually, we recorded this last year. So those are 2019
stats. But he still goes to a lot of schools to meet these kids. That's going to schools,
doing events with schools. You know, we're part of the NCSC's schools hub program. We're part of
teen tech. We're part of a whole bunch of other things that get us in front of kids to talk to them and inspire them about cybersecurity and kind of show them that there's this fantastic career that they probably don't even know about and the teachers probably don't even know about.
I like this because teenagers committing computer crimes is a big problem that not many people are willing to try to tackle. Teens can stumble on a powerful and dangerous weapon
like an exploit or denial of service tool
and launch it upon someone
not even knowing it's illegal or malicious.
Or they might have a curiosity towards tech
or just need guidance to use that curiosity for good.
So FC goes to school and gives free talks to teens.
Generally, they start with,
I rob banks for a living, right?
Which always gets everyone's attention because they're like, I rob banks for a living, right? Which always gets
everyone's attention because they're like, hang on, isn't that a criminal thing? And then we sort
of go into it. It's like, how do I do it? Why I do it? Why it's not illegal when I do it, but it
would be illegal if other people did it. And so it just tries to capture their imagination a little
bit about there are some interesting jobs out there that you may not have heard from your careers advisor very cool but some talks he gives students are really quite powerful
and eye-opening to them one of the things we do is we'll get people up to show them how spearfishing
works right so this is all well and good if i get on stage and i perform a spearfishing attack or
any kind of hack right i've already introduced myself as a
you know a hacker and I've been doing it for many years I've got loads of skills if I get up and do
a thing then everyone's like well yeah he's a hacker he's gonna do that right but if we get
someone up from the audience and we talk them through how to do the procedures even if it's
something simple like a spear phishing attack right using the se
toolkit then then it becomes really more impactful for them and for the audience because the audience
is like oh my god like this person who has never done this before is able to put in all these
commands and then take over this network like really easily in like 20 minutes how easy is it for someone with actual skills so it becomes
a lot more impactful when you see someone who doesn't have those skills originally and it
doesn't take a lot to really show someone how how easy it is to do i mean i bet some of my
audience is wondering wait aren't you teaching some of the bad kids to do bad things? Yeah, I always get this question like,
oh, shouldn't you be careful what you're telling people, right?
You shouldn't be teaching people how to pick locks.
You shouldn't be telling people how to break into places.
It's like, okay, criminals are going to crim, right?
It doesn't matter what you do.
You can teach them stuff and they may go and use it,
but there's going to be a whole bunch of kids that will take it
and make a good thing out of it.
And it's more important to decimate that information and hope that most people are going to be good guys than it is not giving that information on the off chance that there might be someone maybe that does something bad with it.
Now, while teaching kids about hacking is something FC does a lot, it's not the primary goal of Sygenta. The company needs to make money and going around giving these
free lectures is just a dream come true for him. But to enable him to do that, Sygenta works with
clients to improve their security. Yeah, essentially. But we wanted to do it in a way
that encompasses physical, digital, and the human side of cybersecurity.
Yes, the human side of security is still an important factor to test and make sure that
the people in the office are able to stop potential attacks or criminals, which leads
us back to another penetration test that Freaky Clown did.
I was asked to go and do a physical assessment against a very large government site in a European country, right?
So not in England.
It was in a country that I don't speak their language, right?
And I didn't have time to reconnaissance myself.
I had to rely on someone else that was there.
So I phoned up my colleague and I said, look, I know you don't know physical stuff,
but can you go and check out this building for me?
You're in the country.
It's not far away from you.
Just go and check it out, and then look at all the security issues
and just relay them back to me.
So he phones me back up about it, and he's like, hey, man,
I've checked out this building, and it looks cool.
There's loads of entrances.
There's no cameras.
There's very few security people around.
It's going to be a breeze.
And I'm like, okay, that's a bit different to what I was expecting, but cool.
Freaky Clown hops on a train a week later to head to this country to do the work.
While on the train, he looks over his objectives.
And it's simply to gain access to the building.
He thinks he could probably at least get into the front door.
And from there, he might be able to convince reception that he wants to use the restroom or something.
So, okay.
But at the same time, why not try to go to every floor in the building and all the buildings in the campus?
And just try to access as much as possible just to show his client how successful he was.
So, he arrives at the building. And I turn up at this
site and I swear to God, it is the most secure building I have ever seen in my life. I don't
know what building this guy had looked at, but it wasn't this one. I turned out afterwards,
I found out they have 300 CCTV cameras, internal and external. Right. And they're watched 24 7 they've got one really well guarded entrance
and within the building are policemen moving in groups of two and they have guns right now these
are security guards no no these are actual genuine police in this building, right? This is a government site. They have proper people in there.
It's not just like flyboy third-party security group.
It's like genuine people.
Okay, this does sound hard.
FC doesn't speak the language,
so his social engineering tricks just don't work here because of the language barrier.
He can't even read what any of the signs say on the building.
So he takes a closer look at the front door to assess the situation.
Come walk through the front door, they've got a revolving door with RFID.
So you need an RFID card just to walk into the front door.
And yeah, while it's possible to clone one of these badges
and get through the front door, the security measures didn't stop there. Once you get into the door,
it's all made of glass. You can see this. There's reception to your right. There's two reception
staff. There's four security guards. Then there's further security gates, like the tiny little
sliding glass ones. So I'm not going to be able to jump over them.
I'm not going to be able to distract one of the or both of the security staff.
There's only me on site, so I can't use any distraction mechanisms.
So that's going to be really difficult.
So front door is out. It's just too heavily guarded.
He walks around the back of the building to see what else is there.
Back door, side door, all of the side doors are shut.
They're all one way exits.
Everyone has to go through this thing they've got a a loading bay but that's pretty well covered with cameras so it was like can i get into the building so at this point i'm
thinking no i literally can't there's no way i'm getting into this building whatsoever so i actually
phoned up my account manager and i said to him look um i can't do this like i'm not getting into this building whatsoever so I actually phoned up my account manager I said to
him look um I can't do this like I'm not getting into this place and I'm not even going to try
because to be honest I can't speak their language and the only thing that is stopping them from
shooting me is a letter that will be in my back pocket and I don't know if you can picture the
scene that was in my head at that time which was I break in I get seen by two policemen who pull guns who were yelling at me in a foreign language
and then I go to pull something out of my pocket as proof that I should be there I don't think
that's gonna go go well at all so I'm like I'm not doing it right I'm just not doing the thing
and he's like I knew you'd say this, but you always pull it off.
So just think about it overnight and go back.
So I'm like, all right, whatever.
So I recon the building for a couple more days,
putting it off as much as I can.
And I'm like, shit, how am I going to get into this building?
This is truly well guarded.
FC kept going back to the building to look around.
At different times of day, trying to figure out if there's any weaknesses at all in this building so that he can get in.
He notices something at the loading bay where the trucks pull up for deliveries.
He looks around there for any opportunity to get in, but he's not sure.
But it has a unique um physical layout right so it's these two ramps
that come down to the door so it's it's an underground loading bay um and as i'm looking
through um options into how to get in i'm up really early one morning and i'm looking at the
building and i just happen to be around the back of the building when I noticed that the sun at a particular time of day is shining down one of these ramps and is
basically just highlighting one of the cameras and it's then that I realized that if that sun
is shining on that camera at that time it's probably whited out and it can't be actually doing anything.
You can't be able to see anything unless they're really lucky and got some really good light optics
on it. It's probably going to be the only way in. So I had to wait until that time the next day
and then quickly run down that ramp and get in through the loading bay whilst it was open and then hope that nobody saw it.
Sure enough, that camera wasn't able to see at that exact time of day because the sun was blinding
it. If you were staring at the footage from that camera, you wouldn't have seen him walk up. You
wouldn't have seen him open the door or go in. But all you would have seen is one frame where his foot went into the door. This worked.
FC was in the building and nobody saw him or stopped him.
And so I get into the building.
I'm into the loading bay and it's pretty much empty.
And there's some glass doors right at the back going into the offices.
And, you know, I'm like, OK, I'm pretty relieved.
I'm still expecting someone to turn up any second
because they're probably pretty much on the ball and i see some people walking past this glass door
and the door's locked right so i can't be open from uh the loading bay side because i don't have
a key or anything like that right and so i'm banging on the glass trying to get someone's
attention and eventually someone sort
of sees me and it's like looks at me quizzically through the door and I'm like I forgot my pass I
can't get back in um you know hoping they sort of understand English and I'm gesticulating with my
arms as much as I can and eventually he just like opens the door for me so I'm like okay cool this is this is actually pretty cool i walk into the into the main office area
and i walk about i don't know 20 30 feet to my left and i take a right and standing in front of
me are two of these security guards right and all i can fixate on is their handguns. And they're looking at me, and then they sort of just say hello.
And I just sort of nod at them and wave, thinking this is never going to work.
Like, this is going to last, like, two seconds and I'm arrested.
And they just nodded at me and walked off.
And I was like, oh, my God, like, have I just got away with that?
Is that how easy this is going to be today? And so I wait until they're outside and I just got away with that is is that how easy this is gonna be today
and so I I wait until they're outside and I just run it run off like just peg it down this corridor
up some stairs until I can find like a toilet to sort of sit in for a bit and just
gather myself and be like oh my god how the hell did I get away with this this is like
been fluke after fluke um that that one of the scariest moments, I think, for me.
Well, he's in the building. This was his mission. But of course, he wants to see
what other things he can access. After he calms down in the bathroom for a minute,
he comes out and carries on, walking down the halls, looking for any interesting rooms to pop into.
This government building had a really nice sort of auditorium for hosting other governments,
and they had a lot of translation booths, etc.
So I managed to get into one of the sort of translation booth parts, right?
So like where the interpreters sit.
Whenever you look at a movie and they're like got the people with the earpieces talking um you know translating stuff that that's where i was stood in one of these things and i started playing with the kit around me and i noticed that there's
there's actually some really good network kit hidden in the cupboard so i i got the cupboard
open and uh i put in a Raspberry Pi into the network.
So I just plugged it in, configured it, and then just left it there so that we could remotely access that network from outside the building.
Raspberry Pi is just a mini computer.
It's about the size of a deck of cards.
It's easy to hide, and it's perfect for hackers like him.
His had a cellular connection on it, so he could access it from home or anywhere
in the world. And then once he accesses this Raspberry Pi, he's on the network inside this
building. So he's got inside access to stuff. And from there, he can hack into the place further if
he needs to. He keeps exploring this building. And something he saw when he was walking around
outside is that this building complex actually consists of three buildings. And there's
a little bridge that connects each building from one to another. And he finds the bridge that goes
across to the other buildings. But there's a problem. Man traps. A man trap is like a little
glass room, just big enough for one person to enter. The goal is to remove the option for people
to tailgate through
the door with you. One person enters, the door closes behind them, trapping them in there,
and they have to show their ID. And that might be a badge or a fingerprint or an eye scan,
which proves their identity and the opposite door opens, allowing them through. Many also
check the weight to make sure you aren't carrying anything big through or that two people aren't coming through together.
Now, I probably would have looked at this and said,
forget it, it's impossible to get through that and go somewhere else.
But FC thinks of this differently.
Yeah, but this is the point, right?
So my job is not to get in and do the thing, right?
Like whatever the goal is, whatever the client wants
me to do, that's not really my job. My job is to push the boundaries until I get caught.
So he's determined to get across this bridge into that other building. But in order to do that,
he would first have to go through one man trap just to get onto the bridge. And then once he's
across the bridge, he has to go through another man trap
to get into the next building.
And so I had to basically tailgate through those.
And that becomes a little bit more awkward
because if you're in a man trap,
you generally don't have a lot of room.
So I waited until I found someone
that kind of looked a bit nervous anywhere.
You know, sort of the milk toast type person
where they're just
not very confident you know that they're not going to answer you back or anything like that if you
if you get argumentative with them so i saw this one guy he must have been you know mid-20s something
like that quite young looked nervous as hell maybe his first week or whatever and he goes into the
the man trap and i literally just run straight into him slam
straight into him and we're like oh my god sorry mate i didn't see you there i was trying to get
through the man trap door so we're now face to face like almost cheek to cheek in this little
man trap as it's like revolving around and we're like sorry that was really awkward and and so he he doesn't know what to do with himself
and i'm just trying to make it more and more awkward by getting closer and closer i didn't
need to you know there was plenty of room for two people in there but the more awkward you make it
the more uh the more likely they are not to confront you about it so we get out of that
one man trap and we go to the next one and
obviously it's not expecting two people so i have to cram in with him again and now it's slightly
less awkward for him this is now the second time he's been in very close proximity to me um but he
he still doesn't know how to react to this so i'm just trying to wait for this door to revolve around
and we we get out to the other side.
And I know this building is the one that has the main entrance, right?
To the main exit point as well.
So I say sorry to him again and I sort of go off in opposite direction.
Probably the weirdest thing that's probably ever happened to him in his entire career.
So I run down some stairs.
I get into the main reception area.
He's now at the front entrance. He wants to try to leave the building in order to accomplish this mission. But to get out, there's a little gate. There's a reception desk and a security desk.
But remember, you need a badge just to open the front door and then another badge to get through
this gate to get into the building. And all I'm doing is thinking, oh, my God, like, what if they need the tag to get out?
I'm going to approach a security desk and there's security guards there.
And if it needs a tag to get out, I'm kind of screwed.
So I'm trying to put on a brave face as I go up to this exit.
And thankfully, it's just an infrared beam that sort of detects if someone's there and it just opens the gate and i walk
through and just okay i really hope that i'm gonna make it between like you know these security gates
and the door which is only like 30 feet but if someone is gonna stop me at any point, it's going to be now.
And I sort of just push the door open, walk out, out onto the street, and then run away.
Like I say, there's always running to do in social engineering.
Nice. He did it.
He accomplished the objective, which was just to get into the building.
Not only that, he got into two buildings and planted a raspberry pie for further exploitation later.
Now, FC likes to try to dress like the people who are supposed to be in that building.
And this way he can blend in better and looks like he belongs. So I always dress how my target audience is, right?
So I broke in the first time, the beginning of the week into this building, looking exactly the same as everyone else.
And no one really paid me any mind. So broke out went back the next day slightly dressed down
again no one spotted me so by like the third or fourth time um i was dressing a complete slob
right so i had like really ripped jeans i was still wearing my baseball cap i had like a fake
tattoo sleeve on t-shirt
like with the logo on it all the stuff that they they shouldn't be allowed to wear in this building
and nobody was still paying the attention so part of my job is to like take photographs of like
evidence of where i've got to right so i'm thinking okay, I need to step this up a little bit. So I go back down to reception and I'm like,
hey, I forgot my jacket, it's upstairs.
I need to get something out of my car.
Can you let me back in when I come back?
And the receptionist is like, yeah, sure, no problem.
And so I go out to my car and I get a massive SLR camera, right,
with a huge lens on it.
And I come back in and the receptionist
finally lets me back into the building because she assumes that I work there right um so I walk
back up onto the I think it's the finance and HR floor right so quite a restricted floor and I'm
like how much can I push this so I stand on a chair right which is not normal office behavior
well at least in the offices I worked um I stand on chair and, which is not normal office behavior, well, at least in the offices I worked.
I stand on a chair and I start taking photos with this massive camera
of, like, you know, unlit desktops and all sorts of security issues, right?
When all of a sudden this woman appears from out of nowhere,
she's like, excuse me, sir.
I'm like, oh, great, someone's finally spotted me
and is going to ask what the hell i'm doing there
right and she's like excuse me sir um are we gonna be in a magazine and i'm like kind of
let me just carry on taking some photos it's bizarre what you can get away with by the time
the assessment was over freaky clown had gained access to all three buildings and had poked around on every floor of
each of them. While the front door and exterior looked impenetrable, he still found numerous ways
in, which allowed him to build a report for his client, who was happy to see all the ways they
can improve security. Obviously, they had taken this very seriously, so they wanted to make it
better. Over time, FC has done many more penetration tests and physical assessments,
and one thing he keeps getting jobs doing is breaking into banks.
So at one point I was breaking into eight high street banks a week, right?
This is how many I was doing at one point.
So we're working down the country to all these banks.
And one of the area managers didn't understand the test or the point of the test.
And he thought we were there to sort of really show him up so what he did was he called all of his branches and told them that
we were coming in which is a big no-no right so i rock up to this uh this high street bank
and i'm sort of ushered to one side which is a bit odd for the story that i've given them right
which i'm not going to
give you because that would get you access into basically any bank right so i get um get ushered
to the side and i'm like okay this is a bit odd like 10 minutes go past 20 minutes go past and
i'm like oh man this is this is not going right and all of a sudden blue flashing lights appear
everywhere armed response come into the bank and it's's like, oh, mate, what have you done?
So I had to explain to them what my role was and what my job was.
And I was there really trying to rob the bank, but not really as a criminal,
which is always an interesting conversation to have with police.
Now, when a social engineer gets caught,
typically they try to figure out a way out of the situation,
to lie or make up a
story just to get out of it. But since the actual police were involved, he knew he had to come clean
with why he was there. So there's a couple of fails in this was one, the client telling the
branch that I was coming, but two, the branch massively panicked. There's a whole set of
policies and procedures that they should go through if they think they're under attack like this.
What they did was they circumvented most of them and went straight to calling the police.
Now, the interesting thing there is if they were charged with wasting police time and you can only have about three to five of those per year before you get blacklisted.
So if if they had any more of those then they're
not going to get armed response that quickly right because it's just going to be the police
will be like well they're wasting our time it's it's a ridiculous rule but it does happen um so
they they really messed up with that one really badly but the interesting thing there is um i i
obviously have a letter explaining who i am
and what i'm there to do and i have authorization etc but um you know this was one of the very few
times i've ever had to produce it but the thing is i'm always carrying two and the second one
is actually a fake and so that fake one has basically the same information but with numbers that relate to
colleagues right so when the branch manager phoned it up they were actually phoning a friend of mine
and he said no no he should definitely be there because we're testing that procedure as well
like are they doing everything that's written on the letter which says phone them using your
internal phone system don't use the numbers that are here. And if they're not following that, then that's another fail for them.
Yeah, when the police are involved, you just don't want to play games with them.
So he had to come clean on everything. And they called all the people who he said
gave him permission to do this. And they found that everything was legit. So they let him go.
But Freaky Clown doesn't always go on-site to rob banks. Sometimes he can
just rob them through the internet. Getting into banks over the internet is probably even easier
than physical assessments, right? Because you can hit anywhere on their environment to get in,
right? There's always loads of little flaws that you can take
advantage of like what are some of those flaws so a lot of cross-site scripting a lot of sql injection
um you know bad uh bad configurations of network defenses um using some interesting
techniques where you kind of blend a bit of the physical
and the digital side so sometimes what we've done in the past is created a physical device
um break into the bank itself implant that physical device and then then use that to gain
access in and and this really comes back to the the whole core of sygenta right it's like
if you don't have physical sorted then it doesn't really matter how good your defenses are digitally
because we'll just use the physical bit to get past all of that um so yeah there's a ton of
techniques that you know a lot of pen testers use for getting into sites But because it's a bank, it doesn't make it any better,
to be honest.
There's generally a little bit more
lax in some areas
because they're so huge,
they can't always update
everything that they need to do.
While he's hacking banks networks
over the internet,
he's sometimes able to fill
his bank account with money.
Yes.
So one of the pictures I love to show to to kids when
we're doing a lot of outreach and i'm talking about how we how we rob banks and how we how we
sort of do all these fancy things is i showed them a picture i took uh some years ago of a
an atm of my accounts after doing one of these um assessments and And what it does is it shows a picture of about five or six different accounts.
And in each one is more than a million pounds that we've taken out.
Obviously, we have to give the money back.
That's part of the ethics of it.
But it shows that once you're into those systems,
you can very easily transfer out money to wherever you need to um and a lot of the defenses that
banks use are it's very complicated because they they have people that know how to transfer money
right like bulk money and they have people that know the computer systems but they have this weird
separation where they go okay the people that know how to transfer the money don't understand
the technicalities that they need to circumvent and the people that know how to circumvent the
technicalities don't know how the money sending process works so we're kind of okay with that
um but when you get uh an ethical hacker that comes in that knows a bit of both then that's
when all sorts of trouble can happen and then you can literally just siphon out millions of pounds out of the bank systems
into other accounts. After hearing this, I think most companies aren't ready for a skilled social
engineer to break into the building to try to steal real assets like this. Office workers get
a yearly security training where they teach you how to spot phishing emails, but I don't think it teaches you
how to handle a phishing call
or a person asking you to open a door for them
because they forgot their keys in their jacket upstairs.
We want to be nice and helpful to others,
and often we are.
It's often said that the human
is the weakest link in security,
and scammers and criminals can manipulate people
to carry out attacks a lot easier than manipulating a computer. But what's also true is the weakest link in security, and scammers and criminals can manipulate people to carry out attacks a lot easier
than manipulating a computer.
But what's also true is the human
is often the strongest link too.
With the right set of eyes and a well-trained staff,
it can drastically reduce the vulnerabilities in the office.
There are troves of stories
about how one person ruined an entire plan for some hackers.
Like for instance, when a hacking group broke
into a bank and attempted to transfer money to their accounts, it was a human who saw that
transfer was a little odd and decided to flag it to be followed up on. And sure enough, it was not
an authorized transfer. And this one person stopped this cyber attack, which took months of planning
and preparations. So I think if you want to have a secure environment, it really
needs to be the job of everyone in the office to help keep things secure, starting with the CEO or
president and working its way all the way down to the nightly cleaning crew. With proper training
and education, the human can be the strongest defense to cyber threats. And in fact, a lot of
times, it's our only hope.
Thanks so much to FC, Freaky Clown, for coming on the show and telling us your stories.
This show is made by me, The Hash Smasher, Jack Recider. Sound design was done by the curator,
Andrew Merriweather. Editing help this episode by the devilish Damien.
And our theme music is by the space senpai, Breakmaster Cylinder.
And even though somewhere in the world, a company was just breached,
and the CISO said, how is that possible?
We're PCI compliant.
This is Darknet Diaries.