Darknet Diaries - Ep 22: Mini-Stories: Vol 1
Episode Date: September 15, 2018Three stories in one! In this episode we hear about a penetration test from Mubix that he'll never forget, a incident response from Robert M. Lee which completely stunned him, and a social en...gineering mission from Snow.Podcast recommendation: Moonshot.
Transcript
Discussion (0)
Okay, so this one time in high school, I had some friends over.
Actually, it was a sleepover.
My parents weren't home that night, but I had permission to have friends stay over.
We stayed up late at night, and we were playing outside in the front yard.
We had all the lights on out front, and the garage door was open too.
We took a break from playing and came in the house to get some snacks.
We were sitting in the living room laughing and eating chips.
And just then, a woman opens my front door and walks into my house.
We all freeze.
Nobody knows this woman.
She looks at us, turns around, and walks back outside.
My friends ask, who was that?
I have no idea.
I sprang up, peeked out the front window.
Nobody was there.
I could feel my heart pumping.
I slowly opened the front door and went outside.
As I got out there, I saw someone going into my house through the garage door.
I go after them, following them.
And by the time I get inside, there are three strangers standing in my living room,
looking at my friends.
It was freaky.
I was bewildered.
One turned to me and said,
You must be Albert.
I'm not Albert, I shouted.
Then they said, Oh, you must be Eric then.
I'm not Eric either. shouted. Then they said, oh, you must be Eric then. I'm not Eric either.
Nobody here is Albert or Eric.
Panic set in on the strangers in my house.
They all looked at each other with their eyes widening.
I then spoke up.
But there isn't Albert and an Eric that live next door.
They looked at the piece of paper in their hand and back to me
and immediately started apologizing.
They came to visit the neighbors, but they didn't read the directions right.
And the neighbors told them they'll just leave the door open
and they should just walk on in since they're arriving so late.
But then they got the house wrong and walked into my house instead.
I can laugh about this now, but I was freaked out at the time.
You ever make a mistake like this?
Where when you misread one number,
it puts you in a situation that has crazy consequences.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
I'm going to try something a little different this episode.
Usually I do one long story, but instead I'm going to do a few mini stories.
These are shorter stories, which are too good to ignore, but not long enough for a full show.
This first story is about a guy named Rob Fuller, who also goes by Mubix.
And I like using hacker names for people, so I'm going to call him Mubix for the rest of the story.
I work at Uber as a senior security engineer.
I'm a senior technical advisor for the HBO show Silicon Valley, as well as the host of the Hack 5 show,
Metasploit Bennett.
Before he did all that, he was a penetration tester,
and his job was to hack into companies
to test their security.
We were doing these tests pretty regularly
for different companies.
He'd often come into work,
be given a URL and a block of IP addresses,
and be told when to begin scanning
to try to break into the client's network.
It's exciting work, but it often gets repetitive. But there was one test he'll always remember.
So it was just a standard test out of the gate. It was really even cookie cutter even. We do the
scoping call. We get all the IPs. The test was a bunch of IPs. It was a company that, let's just
say, made widgets. And we were supposed to go after the widget maker and the source code for the widget maker.
Mubix and his team have everything they need to start the mission to see if they can gain access to this widget maker server.
And so we start scanning and look at the website and it's kind of off-ish.
Like the company that had these websites was like an LLC
and the company that we had talked to was like a corporation, a co. And it's like, this is weird,
but like it's a similar or same name, not a big deal. Mubix double checks the IP addresses he
was given to test and confirmed this was the same IP block that the client gave him to test on. So him and his team proceeded to penetrate the website. First, he scans the entire
IP range and starts looking for various points of entry. There's a web server, an email server,
and more. But those sites look pretty secure. No obvious vulnerabilities are reported on the scan.
The members of his team start digging into lesser known vulnerabilities, trying to find anything
that might be exploitable.
Thinking that he may not be able to get in using web vulnerability,
Mubix gets a new plan and starts to
set up a phish, get our phish ready,
find the different domains that we can send a phish to,
find a couple of users.
The phish is an email that is designed to trick the user
to click on something they shouldn't be clicking
so Mubix can infect their machine. But before they send the fish...
One of our guys on the team finds a remote code execution
on one of the web apps. Remote code execution means they can run
commands on that web server. This is sometimes called getting a shell. This is bad
because people on the internet should never be allowed to execute commands on your web server directly.
From there, they can do a lot of malicious things.
He found a web application that he could run code just remotely.
The team brims with delight upon getting this access.
The first shell that you get on a pen test is really an amazing feeling. It's great.
Obviously, you have bad feelings for the company.
And like, it sucks that like their security wasn't good enough for whatever it was.
Or it's not so great for them.
But it's still a great feeling that you had the skill or you had the timing or whatever it was that ended up with you as Shell.
But so we all were really excited so
like everything else kind of dropped by the wayside because we had access internally
uh we get the command injection everybody's really excited we're like awesome so we dump
the fish we're not going to do the fish anymore we start looking at where we can go from there. So we get into the
company, get the execution going, get callbacks going to command and control stuff. Like we dump
a meterpreter session on there and it calls back. A meterpreter session is sort of a super tool that
lets you remotely control a computer. You can see what applications are open and what it looks like
from their desktop point of view and what files are on the system.
And you can turn on the microphone and run a programming script and so much more.
This is part of a tool called Metasploit.
Then we pivot into the network and it's a pretty Swiss cheese network.
So we find the same admin on every single box.
The Linux boxes have the same password as the Windows boxes. It's just really a simple test.
And we're just, you know, hipping and hollering, very happy that all this is going on.
At this point, they have gained access to a large number of systems in the network.
They have admin access to most Linux and Windows machines and have mapped out their network pretty well.
They even gained access to their email server and can read all emails being sent in and out.
We hadn't found the goal yet. And that goal was the widget machine and the code for it. So as we
find more detail and trying to figure out where this widget machine is and where the source code
for it is and stuff like that, like no one on the different teams seems to have any information on
this specific widget name.
And it's like a keyword or a code name this company had for this new product they're building out.
And we couldn't find it anywhere.
We couldn't find it anywhere.
A week is up, and it's time to call the client to give a progress report.
And we tell them, hey, we broke in.
We found an easy web app.
We found a bunch of admin access.
And the guy's like, that's weird. Like, we don't really normally have admin, like, shared at all.
We do some really good security there.
That's awesome.
I'm really looking forward to the report.
And then he asks about our goal.
And we're like, yeah, we haven't even found
anyone who's working on this widget thing. And he's like, well, that's good. At least we have
some security there where you're not being able to find the developers of these pretty well.
And he was really happy. The weekend passes. The team starts again on Monday,
looking for this widget machine in their network. We're still having zero luck at all
finding anyone that has anything remotely to do with this widget that we're searching for. We can't
even find mention of it anywhere. Like we have access to pretty much everything this company
does, like emails and wikis and shares. Mubix and his team spend the whole week scouring through
the entire company,
looking for any information about that target system they're trying to find, a widget maker
of some kind. But they're finding nothing at all. They read tons of emails. They mapped the entire
network. They took full control of all important systems and still couldn't find it. So at the end
of the week, they get on another call with the client to give another progress report.
We're like, we broke into all these things.
We couldn't find the widget.
Here's the websites.
And the client's like, that isn't my website.
Those aren't my IP ranges.
So we're like, well, those are the ones you gave us.
So we quickly double check that we're right.
And the client goes and looks at the IP range that he sent,
and he's like, oh, crap, that IP is one-off.
And we're like, okay, time to get lawyers involved
and insurance involved, and we need to figure out how to fix this.
Rubix and his team have realized the
severity of what's wrong here. They have systematically and precisely broken into a
company that they do not have permission to break into. Not only that, they've scoured through
almost everything in that company, reading a lot of private information. This is a serious problem.
This is worse than walking into the wrong house late at night.
This is more like when the SWAT team gets the address wrong and busts down the door of the wrong house.
Rubix didn't get the IP address wrong, though.
His client did.
They gave him the wrong IP to test against.
Uh-huh.
And it was just the perfect typo that went to this other company
that did almost the exact same thing, which is insane.
It's kind of like if someone misdialed your phone,
but the person who picked up had the same name as you,
and went to the same school as you, and worked at the same company as you,
but it's not you.
Something like this happening is incredible.
It was just a weird stroke of luck or fate, whatever,
that the company we were a client of at the time
that had been on the phone calls and stuff
was literally one digit in the IP range different than this other company.
And the company that we'd broken into
made very similar stuff with a very similar name.
They just didn't make that particular type of widget.
And we hadn't noticed. We didn't notice at all.
Mubix and his team were getting increasingly concerned.
The tension in the office was very high.
Absolutely astronomical.
Like the lawyers were looking up all kinds of cyber law and trying to find if we were on the hook for this, even though even though it was their fault.
Right. The point of contact's fault. They combed through like probably an entire weekend without getting much sleep of all of the different laws and how and litigation and precedents that's out there and talking to our insurance to see what
kind of liability we're in for and how much that's going to cost. The weekend passes. Monday comes
and it's time to call the company they broke into and tell them what happened. Lawyers prepare for
the worst. They were bracing for the point of contact to point blame at us,
that we hadn't verified it or that we hadn't done due diligence on the IP range.
They were kind of legitimate claims, right?
The pen test company should have noticed.
We should have noticed that the IP range was not the same company.
But the company name and what they did were so similar.
It's time to call the client.
They wanted to speak to the head of security, but they needed to get his email address and phone number.
But they found a clever way to get it.
Easy. We had access to everything. We just looked at their
global address list, shrink out the gal and find the security guy.
Since they had full control of their Active Directory server, they could look anyone up
internally using their global address list. So Mubix, his manager,
his team, and the lawyers all get on the conference call. They call the head of security
of the company they just broke into.
Mubix's manager explains that they just broke into the company and gained access to everything.
He started apologizing. We all started apologizing.
And like the security gentleman at the other company was like, wait, what happened?
How'd that work you broke in um great we've been trying to get a pen test here for like
years and no one hasn't ever given me enough buy-in for it i'm like what you're happy
yeah this is great do you have a report and we're like yeah here it is here's the report out
he's like that's amazing um can we get you guys back next year it was like holy crap he's like
now i can get budget for all the security problems the the local admin stuff i've known for years and
i just can't get rid of it. And it's like, oh my God. Like that could have gone so much worse.
The lawyers were on the phone and they couldn't believe it. Like it was unbelievable. And he was
so happy. At this point, two weeks into this, Mubik still hasn't even begun to test the actual
company he was supposed to test against.
So the other company was just so happy that there was not going to be a lawsuit because technically they were at fault for giving us, providing us wrong information.
That they didn't even want another test from us.
So, I mean, they were, the security guy was okay.
The lawyers were kind of pissed. and their management were kind of pissed and I get it.
I mean, they don't, they don't know the technical aspects of how, you know, uh, of what went wrong and how, um, serendipitous it was with the IP ranges being so, um, similar.
Um, so we didn't get them back as client, but we got a new client. with the IP ranges being so similar.
So we didn't get them back as a client,
but we got a new client.
This new company they actually tested against remained a client for years
and would get regular penetration tests
from Mubix and his team.
But eventually, years later,
Mubix moved on from doing pen tests.
And I actually still talk to the point of contact
pretty regularly.
And he's still telling that story to this day
the world aligned
in a lot of ways
one to screw us up by having
the company so close to the original
and two to make it
so that that new company
wasn't going to make us
liable for it and was really totally cool about it. too much about how scam callers work. They'll use anything they can find about you online to try to get at your money. And our personal information is all over the place online. Phone numbers,
addresses, family members, where you work, what kind of car you drive. It's endless and it's not
a fair fight. But I realize I don't need to be fighting this alone anymore. Now I use the help
of Delete.me. Delete.me is a subscription service that finds and removes personal information from
hundreds of data brokers' websites and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknet diaries and enter code
darknet at checkout.
That's join delete me.com slash darknet diaries.
Use code darknet.
Support for this show comes from black Hills information security.
This is a company that does penetration testing,
incident response and active monitoring to help keep businesses secure. I know a few people who work over there,
and I can vouch they do very good work. If you want to improve the security of your organization,
give them a call. I'm sure they can help. But the founder of the company, John Strand,
is a teacher, and he's made it a mission to make Black Hills information security
world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud,
digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com. BlackHillsInfosec.com.
Our next story is so strange that it stunned our guest and me, and maybe it'll stun you too.
I suppose an introduction is in order.
Sure. Robert M. Lee. I am the CEO and founder of Dragos.
Robert started out in the Air Force, where he faced off against many nation-state attackers and advanced persistent threats.
He then moved on to the private sector, doing incident response for cyber attacks.
He then took an interest in industrial control systems and started his own company called Dragos to defend against industrial attacks,
like attacks against dams and nuclear facilities
and water treatment plants.
And one day he gets a call from a client
who thinks they're infected with malware.
The client operates wind turbines
and effectively started noticing
some abnormal behavior in their environment
and ended up reaching out and calling us
to go do an instant response with them when i first sort of took the call and my question immediately to them
was well how do you know what are the indications that you have an instant how do you know that you
already need an instant response usually there's unless it's entirely obvious there's questions at
first about hey we think we're compromised these folks were pretty persistent they were absolutely compromised but but every question i asked them around his
data leaving your environment or any of the turbines down you know any of the normal things
that might come up they were just very cool-headed about it all and said no no no everything's fine
we just know we're compromised and so it struck me the the kind of lackadaisical sort of laid back attitude they were taking to the incident,
which was my first indication this might be an interesting case.
Robert takes the case and heads to the wind farm.
This is not a huge wind farm.
We're not talking your large operators.
So in the world of like wind energy energy you've got everything from those folks
that are kind of your management companies to the folks that may be doing control centers and skater
kind of work for multiple companies but you've got tons of these small little companies that pop up
that might have access to a dozen 20 50 you know so when when generating units. And they're just, they're not even really connected
to the grid. They're not really normal electric providers like we think. They're definitely not
utilities, right? It's just, they're just generating a small amount of electricity
and they sell it off to a larger company or somebody who can get it onto the grid for them.
He takes a look around the wind turbines to see what the network looks like.
The client was reporting that a dozen of their wind turbines were infected with malware,
and each of the turbines had their own Windows computer connected to it.
This computer would monitor the wind speed, production output, health checks,
and be able to control parts of the turbine.
As we got on site, we asked, you know, hey, what all took place?
How do you know for sure that something's wrong?
What made you so cool-headed about knowing that there was an incident and not breaking out?
They said, oh, it's real simple.
Our wind turbine network has been patching itself.
We were kind of pushed back a little bit, like, okay, so it's been patching itself.
That's definitely an interesting behavior.
And I'm like, well, are you sure there's not somebody from IT that's been doing, you know, patching, coordinating with the operations folks and said, oh, no, no,
no. We checked with IT. It's definitely just patching itself. And so at that point, you know,
we thought it was pretty interesting, of course, we go take a look. And as it turns out, where
there were Windows operating systems in the environment, they absolutely were being patched.
And as we looked at it, it was pretty clear that there was malicious activity on the systems.
It wasn't hurting anything.
It wasn't damaging anything.
It was effectively, you know, early crypto jacking kind of software where they were effectively
using the spare resources on the system to be able to do, you know, various cryptocurrency type mining.
I think this one was actually Bitcoin, if I remember correctly.
Hackers who got into the computers at these wind turbines were using the systems to mine Bitcoin.
The way hackers like this work is they get dozens or hundreds or thousands of computers that they
don't own to all mine Bitcoin for them at once. A handful of computers mining Bitcoin like this
isn't much profit. But if hundreds or thousands are going all at once a handful of computers mining bitcoin like this isn't much
profit but if hundreds or thousands are going all at once then the daily profit starts to become
significant basically they infect the machines with software that would utilize the spare cpu
and graphics power to make money off it these wind turbines were connected to the internet and the
hackers somehow found their way into these systems and were making money from it. It seemed that the adversary was keeping up with the patches.
And our assessment of the situation was they were keeping other malware and other adversaries
off those systems by updating them and maintaining them so they could have their little cryptocurrency
farm there across the wind farm.
But probably the most interesting thing,
what makes it really interesting from an IR story
has nothing to do with the fact that
avatars are taking advantage of window systems.
Sure, it's interesting that it was a wind farm,
but what really got interesting is we made the recommendation,
here's how we can clean this up.
So we figured it all out.
Here's this activity group that is related to cybercrime.
We can absolutely take care of this for you.
No problem.
It won't be any big deal. have pulled the data to show that we now have a faster and more reliable patch cycle
with the adversaries than our own IT departments.
Like, look, you can't really just let the adversary stay.
There's a lot of risk in doing that.
You don't know what else the connections will be used for.
So, you know, when they eventually make a mistake,
all that risk is completely on you. I mean have to get it every which way i could um but as much as
i hate to admit it the the business owners decided that they were going to let the activity remain
but just put some additional monitoring in place
since they were effective at deploying patches across the environment.
And from an operations perspective, I was stunned.
These are systems that weren't really supported on their contract anyways.
They didn't have the warranties that were going to be avoided by the deployment of the patch.
All of the normal considerations that would have pushed against this
had met this perfect storm where they were completely comfortable the patch. I mean, all of the normal considerations that would have pushed against this kind of
had met this perfect storm where they were completely comfortable with the adversary
for being in that environment. It was just stunning to me.
From the adversary's perspective, I imagine they were trying to do a fairly low and slow
kind of approach to not be noticed in the first place or not be sort of kicked out in the first place.
So it wasn't like they were bogging down the systems to a point that it was having an impact
to the operation.
I mean, the systems were definitely slower and the resource utilization was high on them,
but it wasn't making it where they couldn't produce energy from the wind turbines.
And so, yeah, it was, yeah, I was stunned.
Normally, an operations team, industrial kind of your operators, the industrial control
environments, not in a million years they'd allow that. Even if it somehow was better than IT,
they don't want random patches to go out whenever somebody feels like it,
uncoordinated, unscheduled. But this was a very small operation. We're not talking like a
national wind farm, national kind of company. This was a smaller company that didn't have a
ton of resources in the first place. And the idea of free IT services probably seemed pretty
enticing, I guess.
I don't know what went through their mind.
I was pretty stunned.
I don't want to instill in the idea in people that this is like common at all
or that this is in any way representative of the electric industry.
This is a small junior company who didn't know what to do in this situation
and made a decision that they were
comfortable with. But I wasn't fully a fan of, as I think about this case study out loud now,
I can already see somebody being like, oh, the electric grid was threatened by blah, blah. No,
no, no. It's a small number of wind turbines. It has no impact on electric grid whatsoever.
So while Robert came to do incident response and clean the malware up,
he left the wind farm
with malware still running.
The client was happy
that he was able to
solve the mystery
of why these systems were patching.
And the client put together a plan
to clean these systems up
when the time was needed.
And they made sure
they had backups
and isolated the systems
so they wouldn't be able
to get anywhere else.
But they let the hacker
stay on the systems
and mine the Bitcoin.
And they let the two live
in a strange symbiosis harmony.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate is critical for protecting you and your users
from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability
to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure
from third-party breaches, successful phishes,
or info-stealer infections.
Get your free Darknet Exposure Report
at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
This summer I took a trip to DEF CON, the largest hacker conference in the world.
It's just like you would imagine a hacker conference to be.
Lots of people wearing black, dyed mohawks everywhere, antennas sticking out of backpacks, and blinking lights everywhere.
When I was there, I got to meet Snow.
She started telling me about an interesting story, so I turned on the mic and started recording.
I started out by asking her how she got started as a hacker.
So, it's funny that you asked that question as we're here at DEF CON.
I actually, everything that brought me to do to my career is because of DEF CON.
It was DEF CON 18 or 19.
My husband, who's been in security for years, finally decided to come and he asked me if I wanted to go.
I had no interest at all in attending a hacker conference. That was just not something I wanted to go. I had no interest at all in attending a hacker conference.
That was just not something I wanted to do.
But I wanted to go to Vegas.
And I just wanted to sit up by the pool all day and sip on drinks.
And that sounded perfect.
He actually ended up giving me a badge.
And I think the very first talk I went and saw was something about malware reversing.
And it just went over my head.
And I just had to get out there as soon as possible.
So where I went from there
is I found the lock picking village.
So that day I picked my first couple locks
and I got a fan cast.
I remember just feeling that rush was amazing
and I loved it.
So from there, I wandered around some more
trying to avoid talks as much as possible.
And I found the social engineering village.
And I remember sitting in the room
and watching the calls and just thinking that this was made for me. The social engineering
village at DEF CON is an area where you can practice, learn and compete in social engineering.
Just watching people sit there and ask like creative ways they ask questions to get specific
pieces of information. And it just, I mean, they made it look easy and I knew it wasn't that easy,
but just how creative they were, I think was what really sparked my interest.
On stage during the competition, you can watch a live person in a sound isolation booth on a call
trying to trick someone into giving them information they shouldn't give out. It's
fascinating to watch this live and to learn all the effective ways they're lying to people to get
what they want. And then after that, I remember just researching everything I could on social engineering.
I bought every book that was made.
She went home from DEF CON with a completely new passion.
And she felt like she was pretty good at it.
So she came back to DEF CON the next year.
And I went back and I competed in the contest.
She didn't win, but she learned a lot.
This contest is actually several months long,
and the final part being a live call on stage at DEF CON.
So when she competed, she saw what everyone else was doing,
and she learned about all the places she forgot to look,
and all the things she forgot to do,
and all the different techniques there are for lying to someone
to get them to tell you the information you need.
She practiced and read even more,
and came back again to DEF CON the next year and
competed again, this time ranking high but still not winning the competition. But Snow was determined,
so she went back to studying social engineering some more and practiced even more and came back
to compete for a third year. And I won DEF CON 22. I won the black badge. The coveted black badge at
DEF CON is rare. It's only given to contest winners and a select few.
And besides the bragging rights of being the winner,
you also get free entry to DEF CON for life.
But what's more is this started Snow on a totally new path in life.
After I think my second year competing,
I had a good handful of people in the audience come up to me after
and ask if I would do that work for their companies.
And so that's really what got me going.
And I started my own consultancy and I've worked for a handful of companies doing this.
And so ever since then, I've been just doing this work professionally.
More and more companies are seeing how the humans in the office are often the weakest link in security.
So they hire social engineers to not only test the security of the people in the company,
but also to use it as an opportunity to teach them how to be safer.
She tests for a variety of security controls.
So the main ones that I do are physical security,
phishing, which is sending the emails,
vishing with a V, voice phishing.
And then I do a lot of open source intelligence gathering.
So before I do any of these assessments,
I'm always going online,
seeing what information I can use
to better craft my campaigns.
For years, she continued to do this consulting work,
testing networks and people.
And one day she got a call from a Fortune 500 company
wanting her to do some social engineering tests against them.
And they just opened up a brand new headquarters in Europe and they wanted to test
their brand new European headquarter location. So my goals for that assessment were mainly to see
if I can make it onto their floors. So it's like a 20 floor skyscraper and they had five floors in
there. So that was the main goal, get onto the floors,
followed up by seeing what information I could get from employees. However, the scope was really
limited. I couldn't do RFID cloning. I couldn't do any type of bypassing, lock picking, things like
that. So my hands were kind of tied in that sense. From there, I decided to try to figure out who I wanted to be for this assessment
and while I'm doing open source intelligence gathering I'm trying to find where they have
their doors what kind of security is in place that way I know what I'm getting into before I
go on site so as I'm doing all this research I'm not finding shit it's a brand new building it's
not even on google maps yet most of my clients that I've done I'm able to shit. It's a brand new building. It's not even on Google Maps yet. Most of my clients that I've done, I'm able to find, you know, their property management
companies, phone numbers, like all, you know, their buildings. So I can do street view around
the building, all kinds of stuff. But this one had nothing because it was new. They even have
a huge employee presence online because that's another thing I like to do is I like to look
Facebook and Instagram, even LinkedIn to see who's posting pictures of their employee badges. That way, before I go on site, I can
create my own so I can blend in. I'm not finding anything during this phase. So the only thing I
could think to do was show up on site and before I actually start the assessment, do reconnaissance.
And while I'm doing that, I'm looking for employees wearing their badges. That way I can snap some pictures, go back to my hotel room, create my own, and then
hopefully I can blend in. So I'm doing my reconnaissance. I'm walking around the building.
Everything is very locked down. Most buildings will have a main entrance that people can come
in and out of the lobby. This one had turnstiles just into the building. They had RFID, which was
out of scope. So I had a really hard time trying to figure out how to get into the building.
I was able to find a side door that was unlocked and going that way. So the second I'm in the lobby,
I'm looking around, trying to find
employees, trying to look for IDs and the receptionist looks at me and I must have stood
out like a sore thumb because she started grilling me all kinds of questions. And I just explained
I was waiting for a friend and she said, nope, you got away outside. So she kicks me out.
So right there, I'm like, shit, my cover is probably already blown.
I haven't found any pictures of employee badges. I'm stressing out. This company paid a lot of
money to fly me very far to test our security. And I'm having a hard time just finding stuff
online, let alone a recall. So I go back to my hotel and I'm just, you know, still trying to
research. Hopefully I can find some nugget of information and I'm just, you know, still trying to research. Hopefully I can find some
nugget of information and I'm not finding anything. So lots of pressure with these kinds of assessments
because you want to do good. And especially if, you know, they're sending you all that way to
perform this kind of assessment. So I'm banging my head against the wall for a while and I finally
come up with the idea because I saw a news article they released that they had a bunch of new investors for this new building.
So my idea was I was going to be an investor relations manager from the Americas building,
and I was coming over to check out the new building and to set up meetings with potential new investors.
When you throw around the word investors with companies that big,
they will bend over backwards for you. So what I did is I found the phone number for a VP in the
Americas. I spoofed my number to look like it was calling from her. And I called the European
headquarters and said, hey, we're sending out this investor relations manager. She just needs to do
a quick tour of the facility and then set up some
times to meet with some investors. She'll be there tomorrow morning at 9 a.m. Please make sure she
has a gift badge ready and pretty much, you know, give her whatever she wants because she could be
bringing in a lot of money for us. And so in that conversation with the receptionist, she seemed
very willing to help and very happy. So that kind of gave me a little boost, like, okay, this might work.
So I show up the next morning at 9am. I was wearing a business suit and I had a,
so I wasn't able to find employee IDs from the America's Office. So I created one from the
America's Office because I wasn't sure if they
looked different in Europe, which they actually did. So I had an ID created for that. I was in
a business suit. I had a clipboard, which was like a forged document with just a handful of questions.
And on the next page, I had a bunch of information about local large companies that could be
potential investors. So I show up to the receptionist that morning,
hoping she wouldn't recognize me because, you know, I changed my hair around, I changed my clothes and just, and I had my badge on. So that gave me a lot of credibility. And I said, Hey, you know,
I'm this person and I need to get onto, I have a meeting on this floor.
And she hands me a guest pass and walks me right through to the turnstiles and the elevators and walks me right up to their main floor, which is, I don't know, four or five or six or something like that.
And and just leaves me there to wait for their receptionist.
Holy shit, I'm on the floor like I got the big goal.
I made it onto the floor.
It's just it's a rush.
It is.
Oh, yeah.
No, it's it's very scary. And a lot of
people think that, you know, I've been doing this for years. It gets easier. It doesn't.
Every time before I do anything, or if I'm talking to someone, like I get that, you know,
that feeling in my gut, like, oh God, I'm going to get caught. But it is such a rush and I'm always
nervous every time, every time. So I get onto the floor and I introduce myself
to their receptionist and not the building's receptionist, but my client receptionist now.
And she says, Oh, we're so excited you're here. We've been waiting for you. Um, you know,
she offered to get me some coffee and, and she said that she had the facility manager that was
going to show me around and give me a tour of the building. And so he comes a
little bit later and he gives me a tour of every inch of their five floors. And as we're going on
the tour, I'm trying to keep in mind, I need to get information from him because that's my second
goal. So I start saying things like, well, you know, I have a couple of potential investors who
are really concerned about physical security. They've invested in other firms before and they've been broken into. So I need to make sure I can assure
them that this is not an issue. I said, I need to know now where your issues are so I can make sure
they're fixed before I go back to them. And he went through and showed me a handful of places
that were actually vulnerable. He explained how one of the side
employee entrances only, it was RFID protected. It had the red light, so it should have been locked.
It actually was unlocked during business hours. That right there is a huge finding.
He showed me how if they did have meetings, which were listed on their website,
that they would let the receptionist just check anyone in without verifying. And a handful of other things that were just huge
findings that should not be the case at all, especially for a brand new building.
So from my point of view, if I was an attacker, I know exactly when I can get into the building,
when it's going to be unlocked. I just have to look at their counter, which they actually had a couple events that next week. And I would know
that I just need to say, Hey, I'm here for this event. And they would let me write in, give me a
guest badge. Um, and I would have full access to their whole office. Um, so I was able to complete
my two goals, which I was so excited about. Um, however, I wanted to see if I can get just a little bit more information from him.
So I explained how I did have a phone call
and asked if there was an office I can sit in
because I wanted to see if I would get access to an office.
So they actually put me up in an office
and they wrote my name even on the wall,
like just like a nameplate.
So I was left alone in this office with
my name on it, which was really weird. And I wish I took a picture of it because it just was
just so surreal. Um, and as I was leaving for the day, cause I was there, oh man, like four hours
on site. He gave me a very, very detailed tour. Um, as I leaving, the receptionist actually offered a limo service back to my hotel,
which was pretty badass. I didn't take it because I was staying actually at a hotel
right across the street, so I thought that'd be a little suspicious.
She got back to her hotel room, bursting with joy with the feeling of a job well done.
Just this huge rush. I remember going out and getting a steak dinner that night.
Snow delivered the report to the client, outlining numerous vulnerabilities she found in her assessment. They were very
surprised. They did not think I was going to be able to get in. I guess they actually had an
internal bet. The guy from the America's office and the European office are like, there's no way
this is a brand new building. We have RFID in place everywhere. Every, you know, big security
thing. We have cameras, we have all this.
But just by a simple line spoofing my phone number,
I was able to get so much credibility that I didn't look like a threat.
Social engineering is becoming a more common test for many companies.
It's always safe to verify the strange calls you get by calling that person back or emailing them to confirm.
And to not let people tailgate you into a building.
And to double check people's credentials and into a building, and to double-check
people's credentials, and not always trust when someone else vouches for them. Or just remember
Ronald Reagan's Russian maxim. The maxim is, dovii no provi, trust but verify.
You've been listening to Darknet Diaries. you can find links and more information about each guest
in the show notes on darknetdiaries.com and this show is made by me jack reciter and theme music
is by the ghostly breakmaster cylinder please help this show out by going to darknetdiaries.com
slash donate it means a lot to me when you do thank you