Transcription performed by Leah Hervoly
[FULL TRANSCRIPT] JACK: Hey, it’s Jack, host of the show. It’s holiday season so let’s have some fun and celebrate the year with a bonus holiday episode. I hope there’s much cheer and joy in your holiday season but for some of us security professionals, there’s no break right now. Hackers like to strike when people are on vacation or there’s a skeleton crew running things. To all the security professionals who are staying vigilant through the holiday season and keeping an eye on things, thanks. This is a story from an old friend of ours, TinkerSecure. He’s a penetration tester paid to hack into places to test their security. You might remember him from an earlier episode called Jeremy from Marketing. He’s got another story for us and he says a few cuss words in this one, but never in a mean or angry way. Enjoy.
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is NoirNet Diaries. [INTRO MUSIC ENDS]
TINKER: [MUSIC] It was Sunday night and I was boarding a red-eye to Los Angeles. I managed to get my carry-on filled to the brim with lockpicks under the door tools and badge cloners past the gate agents. They seemed only concerned about my laptop. After X-raying it, they let it pass, never-minding the hacking tools on it. It was the week before Christmas and I should have been home with my boys decorating the tree and planning on what exact cookies they were to leave out for me – uh, Santa. But here I was, boarding another flight to another godforsaken place to break into another building. At least my five-year-old hadn’t cried this time. Hadn’t thought that this was my leaving him permanently, leaving to start a new life with a new family in another state. But my ex was in town, their mother, in from out of state. Brought her fiancé with her, the man she left me for.
Seems he was trying to be a good male role model for my boys; had bought them a Nintendo Switch, gave it to them today as a surprise before Christmas. I had bought them a Switch with a game for each boy that we would play together. It was going to be a gift from Santa. I’d have to find a new gift from Santa. But I couldn’t think about that now; had to sort out exactly what I was going to do, what I was going to try to do to break into my target. I needed a clear head for what lay before me. My head was swarming with thoughts of family, of loves lost, new loves found. But plans and machinations could wait until I arrived on-site, could wait until I actually got a look at the target. For now, I settled into my seat, poured myself a Jack and Coke from a tiny single-serving bottle, tried to get some sleep in that cramped, flying tin can.
Los Angeles never ceases to amaze me. No matter how often I find myself here, I’m always taken aback by the sheer magnitude of the sprawl. Folks stacked one on top of the other, trees jutting out of the concrete, lanes upon lanes of roadway. Every inch of horizon taken up. [MUSIC] I hailed a Rideshare and was hustled into a worn-down hybrid. My driver was a Korean man, earnest and awake at that unnatural hour. He took great pains to ensure that I was comfortable, then took off to my destination. A man takes on a certain amount of fatalism when weaving in-between traffic at 2:00 a.m. going seventy-five miles an hour. My driver laughed and asked me what brought me to town? Business, I replied. What do you do? I break into buildings. Ever the conversationalist, he continued. Well, what sort of methods do you use to break into buildings?
I replied sincerely; oh, lockpicking’s a classic method. Nowadays we clone access badges. Often, if you smile, folks will open the door for you. We went on for a bit longer making acquaintances and the customary small talk. After a short bit, he put on some classical music and settled into a long and harrowing drive. [ENGINE REVVING] My driver pulled off the freeway and drove me right up to my hotel. He hurried out of his car, popped his trunk, pulled my bags out, and propped them in front of me. I was assured that if I left him a five-star review, he would return the favor. I assured him I would. [00:05:00] The hotel was nothing to speak about. I placed my bags to the side of the bed, didn’t bother to unpack. I made my way casually to the restroom and dry heaved up an empty stomach. [RETCHING NOISES] The nerves before a gig never seem to ease. I’ve just accepted it by this point and went through the motions. Oh, goddammit.
My colleague was already in town, already checked into the hotel, already asleep. I was to meet him ready in seven hours. I had been up twenty hours as it was. Too jazzed to sleep easy and too late – too early? – to take a sleeping pill, I’d have to just lie there and wait. [MUSIC] Sleep was rough. The sounds of LA flooded my room but morning came as it always does. Down in the lobby of the hotel, I slammed down a continental breakfast and Community Coffee and headed back up to my room for a shit, shower, and shave. My colleague was late waking up. After a bit, I heard a knock at the door. I peeped through the eyelet and I opened it, showing my colleague into my room. Yagix had a five o’clock beard and hair combo; his day-old unshaven beard met up with the spare top to create an even appearance all-around. He smiled at me and gave me a hug.
Yagix was an RFID and wireless guru. You got shit that flied through the air, he’d snag it right out and throw it in your face. He figured he might be able to gain access to the target’s WiFi network and hack it. If he was successful, I wouldn’t need to break in and we’d call it a day. He had identified a tall public building about a mile from our target site. I went with him and we perched in a common area next to a window facing the site. The view was spectacular. He had a bag that contained a long Yagi antenna that was plugged into his laptop. He set the bag by the window and angled it so that the Yagi pointed out. He then shifted the bag an inch to the left, looked at his screen, and muttered something about channels. He typed something into his laptop, then shifted the bag out to the left another inch. While Yagix was doing his thing, I sat across from him, sipping on a coffee.
I casually scanned our immediate area, the folks coming and going to see if they noticed us or suspected anything. No one paid us any mind. After a bit he said ah, I can’t get to it. I can see the building from here, and he pointed, but there’s too much between us and them. I need to be closer, he continued. I need to get right outside the building. I nodded and finished my coffee. Well, if he needed to go on-site, I might as well conduct some actual reconnaissance and scope out the place. I went back to the hotel and grabbed my gear bag, a small messenger bag. I waited in the lobby for my associate. I checked my bag; badge cloner set to record, had about half a foot of range. Lockpicks, laptop, under-the-door tool, long piece of cardboard. My colleague showed up. [MUSIC] We headed out. Came up to the site; normal office building in a normal office complex. Three stories, multiple entrances; front, rear, and side.
We sat in an outdoor picnic area and watched folks as they started to leave for lunch. Employee dress appeared casual; jeans, long-sleeved or light coat for the weather. The sun was out, hot for Christmas, but I guess this was LA. I saw some badges here and there, not worn consistently; some around the neck, some on the belt. I pulled out a fake white badge and clipped it on my belt. It didn’t look like the front of their badge but it did look like the rear of their badge. Guess my badge was always flipped. Saw folks leaving more now from the rear entrance. I glanced at my colleague and gave him a look. He was surprised; not yet, I can still hack in. Just give me a moment. Don’t stop, I responded. I may get caught. I got up and made for the rear door. A gentleman was just leaving. I called out hey, one sec, and sped-walked up to hold the door.
He smiled, held the door, and looked at my belt, concerned. Saw my white badge and looked relieved. I held the door for him as he left and I walked into my site only to be met by another door with a pin-pad access panel and a set of stairs. I glanced up and saw a camera so I took the stairs. Second floor was the same. Third floor was the same. I had nothing. I walked back downstairs intending to leave and try again. I didn’t want the cameras catching me loitering. [00:10:00] As I approached the door to exit, saw folks returning in from an early lunch. I stayed inside and pulled out my phone, pretending to be on a call. Three folks; two men and one woman entered the little area. I said a bit loudly into my phone, look, I have to get back. I’ll call you later, and walked behind the small crowd as they approached the inner-lock door.
The lead gentleman badged in and held the door open for the woman. The woman held the door open for her friend and her friend held the door open for me. I smiled and said thank you, and walked into the secured area of my target site. With that, I was in. Now what? The first thing I did was find the restroom, lay low for a bit, calm my nerves. I needed to find an open desk, a conference room, somewhere to plug in my rogue device. I left the stall and washed my hands, smiled at the person next to me. I dried my hands and left. Here’s hoping I can walk around and not look suspicious. I left the restroom and began walking the corridors. The wage slaves were huddled in clusters of open office half-cubicles. Different sections had different colors; Finance was green, Operations was red, IT was blue.
I stopped by a break room and helped myself to coffee, struck up a conversation with two employees. We discussed ways to maintain hair now that our hair was thinning due to old age. One of my compatriots lamented about the time when she was pregnant and had luscious, thick hair. I left the break room with my coffee, walked around and noticed what appeared to be a larger conference room. Floor-to-ceiling glass, a fish bowl. Everyone faced away from me, looking at displays on the wall. The placard said Security Operations Center. This was their SOC. I stared at the back of the heads of the Blue Team. They sat not three feet away from me as I looked through the glass. A mischievous grin appeared on my face. Their displays held readings on security events and tickets. I saw one for Antivirus, one for Firewall, one for intrusion detection systems, and on and on.
I now knew what I stood against. These were the people that could stop me and those were the tools that I had to get around. [MUSIC] I tried to wipe the grin off my face as I left them to their task. I walked on. I came up to a cluster of mostly-empty cubes, monitors, and keyboards waiting to be used. I approached a gentleman sitting alone and waved at him. He glanced up at me and removed his headphones. Sorry to bother you; you mind if I hotel here? I need to prep real quick for a conference presentation, I asked. No, go ahead, he said, and motioned to an empty desk. I pulled out my laptop and pulled out a smaller device behind it. The Raspberry Pi was the size of a credit card but held a full arsenal of hacking tools. Pretending to plug my laptop in, I instead situated the R-Pi up under the desk and plugged it in.
With my laptop, I confirmed connectivity to my Raspberry Pi and did some light initial scanning to get a feel for the subnet that my rogue device was on. I unplugged and shut down my laptop, knowing that anything else I need to do, I can now do remotely from my hotel through that Raspberry Pi. On my way out I saw the office of the Chief Information Security Officer. I approached the door. I hesitated; should I? The door opened. I froze. The CISO walked out and passed me, brushed up against my messenger bag. I said excuse me, turned my head away and down, walked on down the hallway, and out of the office building. I let the office door close behind me, heard it click. [CLICK] Locked. I tried to open it up again but couldn’t. I reached into my bag and pressed a button. The Proxmark changed from sniffing to replaying.
I waved my bag by the badge reader by the door [BEEP] and heard it click open. [CLICK] [MUSIC] From here on out, I can go back to my hotel and hack in as far as I needed to. I had my remote way in but if needed, I could always come back here, always badge in, always be the CISO. [BEEP] Oh, and I just touched base with Yagix. He snagged domain creds from their WPA2 enterprise wireless network by using Eaphammer. [00:15:00] He was in, as well. Looks like I didn’t need to break in after all. I hailed another Rideshare. The driver was quiet this time; left me time to think. All the computer protections; the firewalls, the locks, the badges, none of it mattered when a simple smile opened the door. But I like the smiles, the holiday cheer, the Christmas season. Come to think of it, I look forward to buying my sons a new Christmas gift.
JACK (OUTRO): [MUSIC] Thank you to TinkerSec for this holiday hacking story. You can catch another story of his on this podcast. Look for Episode 36, Jeremy from Marketing. You can follow him on Twitter where his name is @TinkerSec. Who knows? You might see him live-tweet more stories like this. This show is made by me, the Maltese raven, Jack Rhysider. Theme music is by the hardboiled Breakmaster Cylinder. Even though my way of learning is to heave a wild and unpredictable monkey wrench into the machinery, this is NoirNet Diaries.
[END OF RECORDING]S