Transcription performed by Leah Hervoly www.leahtranscribes.com
[START OF RECORDING]
JACK: [MUSIC] Okay, so this one time in high school I had some friends over. Actually, it was a sleepover. My parents weren’t home that night but I had permission to have friends stay over. We stayed up late at night and we were playing outside in the front yard. We had all the lights on out front and the garage door was open, too. We took a break from playing and came in the house to get some snacks. We were sitting in the living room laughing and eating chips, and just then a woman opens my front door and walks into my house.
We all freeze; nobody knows this woman. She looks at us, turns around, and walks back outside. My friends ask who was that? I have no idea. I sprang up, peeked out the front window. Nobody was there. I could feel my heart pumping. I slowly opened the front door and went outside. As I got out there I saw someone going into my house through the garage door. I go after them, following them. By the time I get inside there are three strangers standing in my living room looking at my friends. It was freaky. I was bewildered. One turned to me and said you must be Albert. I’m not Albert! I shouted. Then they said oh, you must be Eric, then. I’m not Eric, either. Nobody here is Albert or Eric.
Panic set in on the strangers in my house. They all looked at each other with their eyes widening. I then spoke up, but there is an Albert and an Eric that live next door. They looked at the piece of paper in their hand and back to me, and immediately started apologizing. They came to visit the neighbors but they didn’t read the directions right. The neighbors told them they’ll just leave the door open and they should just walk on in since they’re arriving so late. But then they got the house wrong and walked into my house instead. I can laugh about this now but I was freaked out at the time. You ever make a mistake like this where when you misread one number it puts you in a situation that has crazy consequences?
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: I’m gonna try something a little different this episode. Usually I do one long story but instead I’m going to do a few mini-stories. These are shorter stories which are too good to ignore but not long enough for a full show. This first story is about a guy named Rob Fuller who also goes by Mubix and I like using hacker names for people so I’m gonna call him Mubix for the rest of the story.
MUBIX: I work at Uber as a senior security engineer. I’m a senior technical advisor for the HBO show Silicon Valley as well as the host of the Hak5 show Metasploit Minute.
JACK: Before he did all that he was a penetration tester and his job was to hack into companies to test their security.
MUBIX: We were doing these tests pretty regularly for different companies.
JACK: He’d often come into work, be given a URL and a block of IP addresses, and be told when to begin scanning to try to break into the client’s network. It’s exciting work but it often gets repetitive. But there was one test he’ll always remember.
MUBIX: It was just a standard test out of the gate. It was really cookie-cutter, even. We do the scope and call, we get all the IPs. The test was a bunch of IPs; it was a company that, let’s just say made widgets. We were supposed to go after the widget maker and the source code for the widget maker.
JACK: Mubix and his team have everything they need to start the mission to see if they can gain access to this widget maker server.
MUBIX: We start scanning and look at the website and it’s kind of off-ish. The company that had these websites was like an LLC and the company that we had talked to was a corporation co. It’s like this is weird but it’s similar. Same name, not a big deal.
JACK: Mubix double checks the IP addresses he was given to test and confirmed this was the same IP block that the client gave him to test on. Him and his team proceeded to penetrate the website. First he scans the entire IP range and starts looking for various points of entry. There’s a web server, an e-mail server, and more but those sites look pretty secure. No obvious vulnerabilities are reported on the scan. The members of his team start digging into lesser-known vulnerabilities, trying to find anything that might be exploitable. Thinking that he may not be able to get in using a web vulnerability, Mubix gets a new plan and starts to…
MUBIX: Set up a phish, get our phish ready, find the different domains that we can send the phish to, find a couple of users.
JACK: A phish is an e-mail that is designed to trick the user to click on something they shouldn’t be clicking so Mubix can infect their machine. But before they send the phish…
MUBIX: One of our guys on the team finds a remote code execution under one of the web apps.
JACK: Remote code execution means they can run commands on that web server. This is sometimes called getting a shell. This is bad because people on the internet [00:05:00] should never be allowed to execute commands on your web server directly. From there they can do a lot of malicious things.
MUBIX: He found a web application that he could run code just remotely.
JACK: The team brims with delight upon getting this access.
MUBIX: Yeah, the first shell that you get on a pen test is really an amazing feeling. It’s great. Obviously you have bad feelings for the company. It sucks that their security wasn’t good enough for their whatever it was or it’s not so great for them but it’s still a great feeling that you had the skill, or you had the timing, or whatever it was that ended up with you a shell. We all were really excited. Everything else kind of dropped by the wayside because we had access internally. We get into the command injection. Everybody’s really excited. We’re like awesome, so we dumped the phish. We’re not going to do the phish anymore. We start looking at where we can go from there. We get into the company, get the execution going, get the call backs going to command and control stuff, we dump a Meterpreter session on there. It calls back.
JACK: A Meterpreter session is sort of a super tool that lets you remotely control a computer. You can see what applications are open and what it looks like from their desktop point of view, and what files are on the system, and you can turn on the microphone, and run a programming script, and so much more. This is part of a tool called Metasploit.
MUBIX: Then we pivot into the network. It’s a pretty Swiss cheese network. We find the same admin on every single box; the Linux boxes have the same password as the Windows boxes. It’s just really a simple test and we’re just hipping and hollering, very happy that all this is going on.
JACK: At this point they have gained access to a large number of systems in the network. They have admin access to most Linux and Windows machines and have mapped out their network pretty well. They’ve even gained access to their e-mail server and can read all e-mails being sent in and out.
MUBIX: We hadn’t found the goal yet. That goal was the widget machine and the code for it. As we find more detail and try and figure out where this widget machine is and where the source code for it is and stuff like that, no one on the different team seems to have any information on this specific widget name. It’s like a key word or a code name this company had for this new product they’re building now. We couldn’t find it anywhere, we couldn’t find it anywhere.
JACK: A week is up and it’s time to call the client to give a progress report.
MUBIX: We tell them hey, we broke in, we found an easy web app, we found a bunch of admin access. They guy’s like, that’s weird. We don’t really normally have admin shared at all. We do some really good security there. That’s awesome, I’m really looking forward to the report. Then he asked about our goal. We’re like yeah, we haven’t even found anyone who’s working on this widget thing. He’s like well, that’s good. At least we have some security there where you’re not being able to find the developers pretty well. He was really happy.
JACK: The weekend passes. The team starts again on Monday looking for this widget machine in their network.
MUBIX: [MUSIC] We’re still having zero luck at all finding anyone that has anything remotely to do with this widget that we’re searching for. We can’t even find mention of it anywhere. Like, we have access to pretty much everything this company does; e-mails, wikis, and shares.
JACK: Mubix and his team spend the whole week scouring through the entire company looking for any information about that target system they’re trying to find, a widget maker of some kind. But they’re finding nothing at all. They read tons of e-mails, they map the entire network. They took full control of all important systems and still couldn’t find it. At the end of the week they get on another call with the client to give another progress report.
MUBIX: We’re like we broke into all these things. We couldn’t find the widget. Here’s the websites. The client’s like, that isn’t my website. Those aren’t my IP ranges. We’re like um, well, those are the ones you gave us. We quickly double-checked that we’re right. The client goes and looks at the IP range that he sent me. He’s like oh, crap. That IP is one off. We’re like uh, okay. Time to get lawyers involved and insurance involved. We need to figure out how to fix this.
JACK: Mubix and his team have realized the severity of what’s wrong here. They have systematically and precisely broken into a company that they do not have permission to break into. Not only that, they’ve scoured through almost everything in that company, reading a lot of private information. This is a serious [00:10:00] problem. This is worse than walking into the wrong house late at night. This is more like when the SWAT team gets the address wrong and busts down the door of the wrong house. Mubix didn’t get the IP address wrong, though; his client did. They gave him the wrong IP to test against.
MUBIX: Uh-huh. It was just the perfect typo that went to this other company that did almost the exact same thing which is insane.
JACK: It’s kind of like if someone misdialed your phone but the person who picked up had the same name as you and went to the same school as you and worked at the same company as you, but it’s not you. Something like this happening is incredible.
MUBIX: It was just this weird stroke of luck or fate, whatever, that the company we were a client of at the time, that had been on the phone calls and stuff, was literally one digit in the IP range different than this other company. The company that we’d broken into made very similar stuff with a very similar name. They just didn’t make that particular type of widget. We hadn’t noticed. We didn’t notice at all.
JACK: Mubix and his team were getting increasingly concerned. The tension in the office was very high.
MUBIX: Absolutely astronomical. The lawyers were looking up all kinds of cyber-law and trying to find if we were on the hook for this even though it was their fault, right, the point-of-contact’s fault. They combed through probably an entire weekend without getting much sleep of all of the different laws and litigation and precedence that’s out there and talking to our insurance to see what kind of liability we’re in for and how much that’s gonna cost.
JACK: The weekend passes. Monday comes and it’s time to call the company they broke into and tell them what happened. Lawyers prepare for the worst.
MUBIX: They were bracing for the point-of-contact to point blame at us, that we hadn’t verified it or that we hadn’t done due diligence on the IP range. They were kind of legitimate claims, right; the pen test company should have noticed. We should have noticed that the IP range was not the same company but like, the company and what they did were so – the company name and what they did were so similar.
JACK: It’s time to call the client. They wanted to speak to the head of security but they needed to get his e-mail address and phone number but they found a clever way to get it.
MUBIX: Easy; we had access to everything. We just looked at their global address list for [inaudible] and find their security guy.
JACK: Since they had full control of their active directory server they could look anyone up internally using their global address list. So Mubix, his manager, his team, and the lawyers all get on the conference call. They call the head of security of the company they just broke into. Mubix’s manager explains that they just broke into the company and gained access to everything.
MUBIX: He started apologizing, we all started apologizing, and the security gentleman at the other company was like wait, what happened? How’d that work? You broke in? Great. We’ve been trying to get a pen test here for like, years and no one has ever given me enough buy-in for it. I’m like what? You’re happy? Yeah, this is great. Do you have a report? And we’re like yeah, here it is. Here’s the report out. He’s like, that’s amazing. Can we get you guys back next year? It was like, holy crap. Now I can get budget for all the security problems, the local admin stuff I’ve known for years and I just can’t get rid of it. It’s like oh my god. [MUSIC] That could have gone so much worse. The lawyers were on the phone and they couldn’t believe it. It was unbelievable and he was so happy.
JACK: At this point, two weeks into this, Mubix still hasn’t even begun to test the actual company he was supposed to test against.
MUBIX: The other company was just so happy that there was not going to be a lawsuit because technically they were at fault for providing us wrong information that they didn’t even want another test from us. The security guy was okay. Their lawyers were kind of pissed and their management were kind of pissed and I get it. They don’t know the technical aspects of what went wrong and how serendipitous it was with the IP ranges [00:15:00] being so similar. We didn’t get them back as a client but we got a new client.
JACK: This new company they actually tested against remained a client for years and would get regular penetration tests from Mubix and his team but eventually years later Mubix moved on from doing pen tests.
MUBIX: I actually still talk to the point-of-contract pretty regularly and he’s still telling that story to this day. The world aligned in a lot of ways; one to screw us up by having the company so close to the original and two to make it so that that new company wasn’t going to make us liable for it and was really totally cool about it.
JACK: [MUSIC] Our next story is so strange that it stunned our guest and me. Maybe it’ll stun you, too. I suppose an introduction is in order.
ROBERT: Sure. Robert M. Lee. I am the CEO and founder of Dragos.
JACK: Robert started out in the Air Force where he faced-off against many nation state attackers and advanced persistent threats. He then moved onto the private sector doing incident response for cyber-attacks. He then took an interest in industrial control systems and started his own company called Dragos to defend against industrial attacks like attacks against dams and nuclear facilities and water treatment plants. One day he gets a call from a client who thinks they’re infected with malware.
ROBERT: The client operates wind turbines and effectively started noticing some abnormal behavior in their environment. They’re reaching out and calling us to go do an incident response with them. When I first took the call, my question immediately to them was well, how do you know – what are the indications that you have an incident? How do you know that you already need an incident response? Usually there’s – unless it’s entirely obvious, there’s questions.
First off, a) we think we’re compromised. These folks were pretty persistent that they were absolutely compromised but every question I asked them around is data leaving your environment or are any of the turbines down? You know, any of the normal things that might come up. They were just very cool-headed about it all and said no, no, everything’s fine, we just know we’re compromised. It struck me to be kind of lackadaisical, sort of laid-back attitude they were taking to the incident which my first indication this might be an interesting case.
JACK: Robert takes the case and heads to the wind farm.
ROBERT: This is not a huge wind farm. We’re not talking your large operation. In the world of wind energy you’ve got everything from those folks that are kind of your management companies to the folks that may be doing control centers and SCADA, work for multiple companies. But you’ve got tons of these small little companies that pop up that might have access to a dozen, twenty, fifty or so wind-generating units. They’re not even really connected to the grid. They’re not really normal electric providers like we think. They’re definitely not utilities; they’re just generating a small amount of electricity and they sell it off to a larger company or somebody who can get it onto the grid for them.
JACK: He takes a look around the wind turbines to see what the network looks like. The client was reporting that a dozen of their wind turbines were infected with malware. Each of the turbines had their own Windows computer connected to it. This computer would monitor the wind-speed, production output, health checks, and be able to control parts of the turbine.
ROBERT: As we got on-site we asked a) what all took place? How do you know for sure that something is wrong? What made you so cool-headed about knowing that there was an incident and not freaking out? They said oh, it’s real simple. Our wind turbine network has been patching itself. [00:20:00] We were kind of pushed back a little bit like, okay. So it’s been patching itself. That’s definitely an interesting behavior. I’m like well, are you sure there’s not somebody from IT that’s been doing patching or coordinating with the operations folks? They said oh no, no, we checked with IT. It’s definitely just patching itself.
At that point we thought it was pretty interesting of course. We go take a look. As it turns out, where there were Windows operating systems in the environment, they absolutely were being patched. As we looked at it, it was pretty clear that there was malicious activity on the systems. It wasn’t hurting anything. It wasn’t damaging anything but it was effectively early crypto-jacking software where they were effectively using the spare resources on the system to be able to do various crypto-currency type mining. I think this one was actually Bitcoin if I remember correctly.
JACK: The hackers who got into the computers at these wind turbines were using the systems to mine Bitcoin. The way hackers like this work is they get dozens or hundreds or thousands of computers that they don’t own to all mine Bitcoin for them at once. A handful of computers mining Bitcoin like this isn’t much profit but if hundreds or thousands are going all at once then the daily profit starts to become significant. Basically they infect the machines with software that would utilize the spare CPU and graphics power to make money off it. These wind turbines were connected to the internet and the hackers somehow found their way into these systems and were making money from it.
ROBERT: It seemed that the adversary was keeping up with the patches. Our assessment of the situation was they were keeping other malware and other adversaries off those systems by updating and then maintaining them so that they could have their little crypto-currency farm there across the wind farm. But probably the most interesting thing, what makes it really interesting from an IR story has nothing to do with the fact that adversaries are taking advantage of Windows systems.
Sure, it’s interesting that it was a wind farm but what really got interesting is we made the recommendation; here’s how we can clean this up. We figured it all out. Here’s this activity group that’s related to cyber-crime. We can absolutely take care of this for you no problem. It won’t be any big deal. The business leaders had come back to us and said well, operations have pulled the data to show that we now have a faster and more reliable patch cycle with the adversaries than our own IT departments. It’s like look, you can’t really just let the adversary stay. There’s a lot of risk in doing that. You don’t know what else the IP connections would be used for. When they eventually make a mistake, all that risk is completely on you.
I advocated every which way I could but as much as I hate to admit it, the business owners decided that they were going to let the activity remain but just put some additional monitoring in place since they were affected and had deployed patches across the environment. From then, operations respected what was done. These were systems that weren’t really supported on the contract anyway. They didn’t have warranties that were gonna be voided by the deployment of the patch. All of the normal considerations that would have pushed against this had met this perfect storm where they were completely comfortable with having the adversary being in that environment. It was just stunning to me. From the adversary’s perspective, I imagine they were trying to do a fairly low and slow approach to not be noticed in the first place, or not be kicked out in the first place so it wasn’t like they were bogging down the systems to a point that it was having an impact to the operations.
The systems were definitely slower and the resource utilization was high on them but it wasn’t making it where they couldn’t produce energy from the wind turbines. Yeah, I was stunned. Normally an operations team, industrial – your operators in the industrial control environments, not in a million years would they allow that. Even if it somehow was better than IT they don’t want random patches to go out whenever somebody feels like it, uncoordinated, unscheduled. But this was a very small operation. We’re not talking like a national wind farm, a national company. This was a smaller company that didn’t have a ton of resources in the first place. The idea of free IT services probably seemed pretty enticing, I guess. I don’t know what went through their mind.
I was pretty stunned. I don’t want to instill the idea in people that this is common [00:25:00] at all, or that this in any way representative of the electric industry. This is a small junior company who didn’t know what to do in this situation and made a decision that they were comfortable with that I wasn’t fully a fan of. As I think about this case study out loud now, I can already see somebody being like, oh, the electric grid was threatened by blah, blah. No, no. It’s a small number of wind turbines. It has no impact on electric grid whatsoever.
JACK: While Robert came to do incident response and clean the malware up, he left the wind farm with malware still running. The client was happy that he was able to solve the mystery of why these systems were patching. The client put together a plan to clean these systems up when the time was needed and they made sure they had backups and isolated the systems so they wouldn’t be able to get anywhere else. But they let the hacker stay on the systems and mine the Bitcoin and they let the two live in a strange symbiosis harmony.
[MUSIC] This summer I took a trip to Defcon, the largest hacker conference in the world. It’s just like you would imagine a hacker conference to be; lots of people wearing black, dyed mohawks everywhere, antennas sticking out of backpacks, and blinking lights everywhere. When I was there I got to meet Snow. She started telling me about an interesting story so I turned on the mic and started recording. I started out by asking her how she got started as a hacker.
SNOW: It’s funny that you ask that question as we’re here at Defcon. Actually, everything that brought me to do my career is because of Defcon. It was Defcon 18 or 19. My husband who’s been in security for years finally decided to come and he asked me if I wanted to go. I had no interest at all in attending a hacker conference. That was just not something I wanted to do. But I wanted to go to Vegas and just wanted to sit out by the pool all day, and sip on drinks and that sounded perfect.
He actually ended up getting me a badge and I think the very first talk I went and saw was something about malware reversing and it just went over my head and I just had to get out of there as soon as possible. Where I went from there is I found the lock-picking village. That day I picked my first couple locks and I got out of handcuffs. I remember just feeling that rush was amazing and I loved it. From there I wandered around some more trying to avoid talks as much as possible. I found the social engineering village. I remember sitting in the room and watching the calls and just thinking that this was made for me.
JACK: The social engineering village at Defcon is an area where you can practice, learn, and compete in social engineering.
SNOW: Just watching people sit there and ask like, creative ways they asked questions to get specific pieces of information and then – I mean, they made it look easy and I knew it wasn’t that easy but how creative they were, I think is what really sparked my interest.
JACK: On stage during the competition you can watch a live person in a sound-isolation booth on a call trying to trick someone into giving them information they shouldn’t give out. It’s fascinating to watch this live and to learn all the effective ways they’re lying to people to get what they want.
SNOW: After that I remember researching everything I could on social engineering. I bought every book that was made.
JACK: She went home from Defcon with a completely new passion and she felt like she was pretty good at it so she came back to Defcon the next year.
SNOW: I went back and I competed in the contest.
JACK: She didn’t win but she learned a lot. This contest is actually several months long and the final part being a live call on stage at Defcon. [MUSIC] When she competed she saw what everyone else was doing and she learned about all the places she forgot to look and all the things she forgot to do and all the different techniques there are for lying to someone to get them to tell you the information you need. She practiced and read even more and came back again to Defcon the next year and competed again, this time ranking high but still not winning the competition. But Snow was determined so she went back to studying social engineering some more and practiced even more and came back to compete for a third year.
SNOW: I won Defcon 22. I won the Black Badge.
JACK: The coveted Black Badge at Defcon is rare. It’s only given to contest winners and a select few, and besides the bragging rights of being the winner, you also get free entry to Defcon for life. But what’s more is this started Snow on a totally new path in life.
SNOW: After I think my second year competing, I had a good handful of people in the audience come up to me after and ask if I would do that work for their companies. That’s really what got me going. I started my own consultancy and I’ve worked for a handful of companies doing this. Ever since then I’ve been just doing this work professionally.
JACK: More and more companies are seeing how the humans in the office are often the weakest link in the security so they hire social engineers to not only test the security of the people in the company but also they use it as an opportunity to teach them how to be safer. She tests for a variety of security controls.
SNOW: The main ones that I do are physical security, phishing, which is [00:30:00] sending the e-mails, vishing, with a v, voice phishing, and then I do a lot of open source intelligence-gathering. Before I do any of these assessments I’m always going online, seeing what information I can use to better craft my campaigns.
JACK: For years she continued to do this consulting work, testing networks and people, and one day she got a call from a Fortune 500 company wanting her to do some social engineering tests against them.
SNOW: They just opened up a brand-new headquarters in Europe. They wanted to test their brand-new European headquarter location. My goals for that assessment were mainly to see if I can make it onto their floors. It was like, a twenty-floor skyscraper and they had five floors in there. That was the main goal; get onto the floors, follow it up by seeing what information I could get from the employees. However, the scope was really limited. I couldn’t do RFID cloning; I couldn’t do any type of bypassing, lock-picking things like that. My hands were kind of tied in that sense. [MUSIC] From there I decided to try to figure out who I wanted to be for this assessment.
While I’m doing open source intelligence-gathering I’m trying to find where they have their doors, what kind of security is in place. That way I know what I’m getting into before I go on-site. As I’m doing all this research, I’m not finding shit. It’s a brand-new building. It’s not even on Google Maps yet. Most of my clients that I’ve done, I’m able to find their property management companies, phone numbers, all their buildings so I can do street-view around the building, all kinds of stuff. This one had nothing ‘cause it’s new. They didn’t even have a huge employee presence online ‘cause that’s another thing I like to do; I like to look at Facebook, Instagram, even LinkedIn to see who’s posting pictures of their employee badges. That way before I go on-site I can create my own so I can blend in.
I’m not finding anything during this phase. The only thing I could think to do was show up on-site and before I actually start the assessment, do reconnaissance. While I’m doing that I’m looking for employees wearing their badges. That way I can snap some pictures, go back to my hotel room, create my own and then hopefully I can blend in. I’m doing my reconnaissance. I’m walking around the building. Everything is very locked-down. Most buildings will have a main entrance that people can come in and out of the lobby. This one had turnstiles just into the building. They had RFID which was out of scope, so I had a really hard time trying to figure out how to get into the building. I was able to find a side door that was unlocked and go in that way. The second I’m in the lobby, I’m looking around trying to find employees, trying to look for IDs, and the receptionist looks at me.
I must have stood out like a sore thumb ‘cause she started grilling me all kinds of questions. I just explained I was waiting for a friend. She said no, you’ve gotta wait outside. She kicks me out. Right there I’m like shit, my cover is probably already blown, I haven’t found any pictures of employee badges. I’m stressing out. This company paid a lot of money to fly me very far to test their security and I’m having a hard time just finding stuff online, let alone [inaudible]. So I go back to my hotel and I’m still trying to research. Hopefully I can find some nugget of information. I’m not finding anything. Lots of pressure with these kinds of assessments ‘cause you wanna do good, and especially if they’re sending you all that way to perform this kind of assessment. I’m banging my head against the wall for a while and I finally come up with the idea because I saw a news article they released that they had a bunch of new investors for this new building.
My idea was I was gonna be an investor-relations manager from the Americas building and I was coming over to check out the new building and to set up meetings with potential new investors. When you throw around the word investors with companies that big, they will bend over backwards for you. [MUSIC] What I did is I found the phone number for a VP in the Americas. I spoofed my number to look like it was calling from her and I called the European headquarters and said hey, we’re sending out this investor relations manager. She just needs to do a quick tour of the facility and then set up some times to meet with some investors. She’ll be there tomorrow morning at 9 a.m.; please make sure she has a guest badge ready, and pretty much give her whatever she wants ‘cause she could be bringing in a lot of money for us.
That conversation with the receptionist, she seemed very willing to help and very happy. That kind of gave me a little boost like okay, this might work. I show up the next morning at 9 a.m. I was wearing a business suit and I had a – [00:35:00] I wasn’t able to find employee IDs from the Americas office so I created one from the Americas office ‘cause I wasn’t sure if they looked different in Europe which they actually did. I had an ID created for that, I was in a business suit, I had a clipboard which was a forged document with just a handful of questions. On the next page I had a bunch of information about local large companies that could be potential investors.
I show up to the receptionist that morning hoping she wouldn’t recognize me ‘cause I changed my hair around, I changed my clothes, and I had my badge on so that gave me a lot of credibility. I said hey, I’m this person and I need to get onto – I have a meeting on this floor. She hands me a guest pass and walks me right through to the turnstiles and the elevators and walks me right up to their main floor which is I don’t know, floor five or six or something like that, and just leaves me there to wait for their receptionist. I was like holy shit, I’m on the floor. I got the big goal. I made it onto the floor. It’s just, it’s a rush. It is, oh yeah. It’s very scary and a lot of people think that I’ve been doing this for years, like it’s easier, it doesn’t.
Every time before I do anything or if I’m talking to someone, I get that feeling in my gut like oh god, I’m gonna get caught. But it is such a rush. I’m always nervous every time, every time. I get onto the floor and I introduce myself to their receptionist, not the building’s receptionist but my client receptionist now. She says oh, we’re so excited you’re here, we’ve been waiting for you. She offered to get me some coffee and she said that she had the facility manager that was gonna show me around and give me a tour of the building. He comes a little bit later and he gives me a tour of every inch of their five floors. As we’re going on the tour I’m trying to keep in mind I need to get information from him ‘cause that’s my second goal.
So I start saying things like well, I have a couple potential investors who are really concerned about physical security. They’ve invested in other firms before and they’ve been broken into so I need to make sure I can assure them that this is not an issue. I said I need to know now where your issues are so I can make sure they’re fixed before I go back to them. He went through and showed me a handful of places that were actually vulnerable. He explained how one of the side employee entrances only, it was RFID protected. It had the red light so it should have been locked; it actually was unlocked during business hours. That right there is a huge finding. He showed me how if they did have meetings which were listed on their website that they would let the receptionist just check anyone in without verifying and a handful of other things that were just huge findings that should not be the case at all, especially for a brand-new building.
From my point of view, if I was an attacker, I know exactly when I can get into the building, when it’s going to be unlocked. I just have to look at their calendar which they actually had a couple events that next week, and I would know that I just need to say hey, I’m here for this event and they would let me right in, give me a guest badge and I would have full access to their whole office. I was able to complete my two goals which I was so excited about. However, I wanted to see if I could get just a little bit more information from him. I explained how I did have a phone call and asked if there was an office I can sit in ‘cause I wanted to see if I would get access to an office.
They actually put me up in an office and they wrote my name even on the wall, just like a name plate. I was left alone in this office with my name on it, which was really weird and I wish I took a picture of it ‘cause it just was so surreal. As I was leaving for the day ‘cause I was there, oh man, like four hours on-site. He gave me a very, very detailed tour. As I was leaving, the receptionist actually offered a limo service back to my hotel which was pretty badass. I didn’t take it because I was staying, actually at a hotel right across the street so I thought that’d be a little suspicious.
JACK: She got back to her hotel room bursting with joy with the feeling of a job well done.
SNOW: Just this huge rush. I remember going out and getting a steak dinner that night.
JACK: Snow delivered the report to the client, outlining numerous vulnerabilities she found in her assessment.
SNOW: They were very surprised. They did not think I was gonna be able to get in. I guess they actually had an internal bet; the guy from the Americas office and the European office. They’re like, there’s no way. This is a brand-new building. We have RFID in place everywhere. Every big security thing. We have cameras, we have all this, but just by a simple lie and spoofing my phone number I was able to get so much credibility that I didn’t look like a threat.
JACK: Social engineering is becoming a more common test for many companies. It’s always safe to [00:40:00] verify the strange calls you get by calling that person back or e-mailing them to confirm and to not let people tailgate you into a building, and to double-check people’s credentials and not always trust when someone else vouches for them, or just remember Ronald Regan’s Russian maxim…
REAGAN: The maxim is ‘doveryai, yo proveryai’ - trust but verify.
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. You can find links and more information about each guest in the show notes on darknetdiaries.com and this show is made by me, Jack Rhysider, and theme music is by the ghostly Breakmaster Cylinder. Please help this show out by going to darknetdiaries.com/donate. It means a lot to me when you do. Thank you.
[OUTRO MUSIC ENDS]
[END OF RECORDING]
Transcription performed by Leah Hervoly www.leahtranscribes.com