Transcription performed by Leah Hervoly www.leahtranscribes.com
JACK: Well, let’s start with what’s your name and what are you known for?
FC: Okay, so my name is FC. My hacker alias is Freaky Clown. I’m known for being the co-founder and co-CEO of Cygenta, a cyber-security company here in the UK. I’ve been in the industry for twenty-mumble years and I’ve done a lot of hacking, a lot of social engineering, physical assessments, that kind of thing.
JACK: I was half-expecting you to say I’m known as the guy who breaks into banks.
FC: Yes, I do rob rather a lot of banks, probably more than anyone in history if I’m gonna be honest, actually. Quite a lot.
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: As you heard, today we’re gonna hear a story from FC. That’s his name; FC. But over time he’s taken on the name Freaky Clown as well. Now FC, or Freaky Clown, grew up in England. He sort of raised himself. His family just wasn’t around. You could say it was dysfunctional.
FC: Grew up in an area which didn’t even have a village name. It was in-between two villages; it was two miles either way before you got to anywhere. Computers were my only communication with anyone that had any real sense, you know? My parents were around, but not talking to me. Computers became my life. They were the only thing I knew, and the only thing I interacted with for many years. It became a passion. It’s a part of me and I can’t ever imagine my life without computers because of that.
JACK: He borrowed computers from friends at first and then saved up enough to get his own. He had the opportunity to go to college so he went, at first studying auto-mechanics, and then he got into science. But along the way he realized he was really good at computers and sort of shifted to an IT job in his early twenties.
FC: I was working as a sysadmin at the time doing some security stuff as well, ‘cause they always cross over. When the company that I was working for was going under, the guy had made – the guy who ran it was a terrible person in general but he was terrible at running a company. When he started to go downhill, he kind of went off the rails a bit and he started blaming everyone else for it.
JACK: This didn’t make sense to FC, but the owner was blaming a bunch of different people for things that they did which was why the company was going out of business. It seemed obvious the owner was trying to find a scapegoat.
FC: He accused me of wiping a PC [MUSIC] of data that he had loaned to an employee who had given it back. He actually called the police on me and said he has done all this stuff, and he’s hacked all this stuff, and wiped all this stuff. It was just part of my job to wipe it clean ‘cause why would he want any of their data on it? It was part of the policies and procedures that we had. I don’t know what he was expecting to happen there. I remember the police phoned me up and said we want to arrest you, which is very weird. They said can you come down to the station? I went down to the police station and they said oh, have you got a lawyer? I said no. They said well, go away, get a lawyer and come back, and then we can arrest you. I’m like [00:05:00] okay, this isn’t going how it normally looks, like in the movies, right? I go back with a lawyer.
We talk about it, they officially arrest me and yeah, it was a little bit scary because they were looking through the computer system and they didn’t have the crime that they were saying that I did on the computer system. So, what they did was, they looked it up and they were like okay, we’ll just put it under ‘attempted murder’ and just put a note saying it’s actually about computers. At that point, I started to get very worried and so did my lawyer, in fact. But there was nothing else we could do. Just went through the ringer for like, six months, a year, almost. Thankfully, all the charges were dropped and the case got thrown out, basically, but it really did make me see like, yeah, it’s very easy to cross that line if you don’t know what you’re doing. But because I had completely always stayed within the law, I had no problems there.
JACK: After this sysadmin job fell apart, he got a new job doing sysadmin work again but with a different company; this time with a little bit more focus on security. Here, he learned a lot about how to make computers secure or insecure. The security side of things really interested him so he quit that job and became a full-on penetration tester [MUSIC] for an information security company. This is where clients would hire him to come and try to break into their place, or steal things, or get access to stuff that he shouldn’t be able to get access to. This typically involves a lot of social engineering; calling people on the phone and lying to them to get info, or posing as someone else to get access. One day, he got assigned to do a physical penetration test on a bank.
FC: My first engagement with an actual bank was absolutely terrifying. It was a massive building in London and it’s not a normal bank, right? It’s not even a normal high street bank. This is a international bank that does finance stuff with other international banks. All they do is shift vast amounts of money. This one in particular had a gold bullion vault. The client came to us and said look, can you break in and maybe steal like, a bar of gold?
JACK: Well, that’s an ambitious objective; to grab a gold bar from within this bank and to get it out. But by that point Freaky Clown had already done many physical penetration tests where he’s paid to test the physical security of a building to see if he can break in and gain access to stuff he shouldn’t be allowed to. He’s confident in himself and has a variety of tricks and skills he can use to bypass weak security. Now, this bank has asked him to rob them.
FC: I’m like okay, that sounds interesting. Let’s do it.
JACK: [MUSIC] First, he does some reconnaissance. He wants to go down to this bank to see what security is like but instead of going down during the day, he waits until 2:00 in the morning to go down there. The reason why he’s going so late is because maybe you can tug on a few doors to see if any of them were left open. There might be a back service door or a window left open, or something. He just goes down to take a look. So, he drives to this bank which is right in the middle of London, and walks up to the building.
FC: I’m wearing sort of dark clothes, and I’m mesmerized by this building. I’m just looking at it like holy crap, this place looks like Fort Knox but worse, right? I’m like, oh my god, how am I gonna break into this place? I stood there just completely mesmerized for like, ages, when I hear someone from behind me sort of give a cough, like sort of, you know, just interrupting me. I’m still mesmerized by this building so I’m like, what? He’s like excuse me mate, what are you doing? I’m like, well, I’m trying to work out how to break into this bank. Then I turn around and see the two policemen that have just asked me this question. It was like oh, hang on, let me explain my job right now because this is gonna go really sideways.
JACK: He had to spend the next hour explaining to the police what he does. There were a few phone calls that were made to confirm his story too, but eventually they let him on his way. Freaky Clown knew this night was ruined so he left and came back the next day, this time in broad daylight. The night guards were onto him so he had to try a new approach. This particular bank had just spent a million British pounds upgrading the security on the front of this building. It was absolutely airtight in every way; he literally could not make any progress coming through the front, but this isn’t a regular bank where customers are just walking in off the street; this is more of a business-to-business kind of bank, where there aren’t any tellers at all and nobody’s in the lobby except for security guards. If you go through the front door, there’s no place to go if you don’t have the right access. The front was just not going to be [00:10:00] the way in, but in the back was a service entrance that didn’t get the same security upgrades. [MUSIC] FC figured out a way around back. He got past some restricted areas and into the building.
FC: I managed to get in through the back of this building. I got onto this floor where the security vault was, where the gold bullion is stored. I thought it’d be like, super secure, right? You’re expecting guards with guns or something. But I just walk up and the vault was just open. They just leave it open during the day because they need to get in and out, right? They only shut it up at night. If you’re in there during the day, you just walk in. Then I picked up a gold bar and believe me, they’re really heavy. They’re nothing like you see in the movies. I wasn’t gonna carry two out; let’s put it that way.
JACK: He picks one gold bar up and puts it in his backpack. It’s major progress here but now he’s gotta get out of the building because if he gets caught, security wins. But if he can get out with the gold bar in his backpack, he wins. Now, keep in mind, this is a place that customers don’t get to walk around in and there’s this massive security at the front door. If you’re seen in the building, chances are people are gonna think you’re supposed to be there.
FC: I don’t tend to get nervous around things like this. It always happens after the fact, so in the wash-up calls or in the wash-up meetings later, I’m just dripping with sweat and looking like a homeless person. But during the test it’s just, I switch off and I do the job. I get this gold bar and I’m like cool, I’ve got the gold bar. I’ve got it in my backpack. I go down two flights of stairs and I’m going to the exit. At any moment I’m expecting someone to jump on me, but nobody is giving any glance at me. I’m just walking out of the building. I hit the Exit button, I go through the turnstile, and that’s it. I’m out on the street. It was honestly that easy. It sounds incredible but that’s what it was.
JACK: Whoa, he did it. He robbed the bank.
FC: It’s an odd thing. Yeah, I just went around the corner, I called the client, said I’ve got all of the things that we needed to get done. Let’s meet up in the lobby and then we’ll go through it all. It’s not like it was in my possession for a long time. It was like maybe ten, fifteen minutes at most. But the feeling I get when I achieve all of the goals that a client sets out is kind of like a bit of ambivalence, really. It’s like well, I knew that was gonna happen ‘cause that’s what we do. Our job is to go in and get it. This trouble with a lot of social engineering is you’re almost always gonna succeed. I’ve been doing this for a long time and apart from two issues with clients screwing up things, I’ve got 100% record of doing this. It’s not because I’m like this super amazing social engineer; it’s just, that’s the way it goes. You only have to slip in, you only have to get in once. It’s really not that difficult to do if you’ve got the time and the patience to do it.
JACK: We’re gonna take a short break but stay with us because coming up, more bank robbery stories. Freaky Clown sort of loves these weird missions and who wouldn’t, right? This is exciting work. But there’s one physical penetration test that he’ll never forget.
FC: Yeah, so, we had a hospital, actually. Fairly new; they had just built a helipad at their hospital and they wanted to know if it was secure. They called us up and they said can you steal a helicopter for us? I’m like, I’ll give it a shot. Why not?
JACK: [MUSIC] Whoa, a [00:15:00] helicopter? This is gonna be good. But it’s not just about the helicopter; the helipad itself is what really should be secure. The hospital wanted to make sure that there was no access to this by anyone other than who was supposed to be using it. They don’t want some drugged-up patient accidentally wandering onto the helipad and getting hurt, or some bad actor out there sabotaging it, or some hooligans doing something else.
FC: I go to this hospital. I spend like, one-night recon, freaking myself out in medicine places under the hospital. We got into some tunnels and stuff. There are certain areas of a hospital that when you do a hospital test, you’re not allowed to go. You’re not allowed to go into the children’s ward, you’re not allowed to go into the maternity wards, you’re not allowed to go into surgery. But everywhere else is basically free to reign. But there are certain areas that are restricted to hospital staff. What you have to do is look at the maps and the great thing about most hospitals is they have like, massive public access areas. You can just wander around and pretend you’re a patient. Then there’s loads of fire marshal maps around. Once you study those, you can kind of work out the areas that you’re allowed to go in and the areas that you’re not allowed in.
Once you figure out the areas that you’re not allowed into, it’s very easy to sort of steal scrubs, for example. Once you get that sort of, almost uniform, then you can tailgate people into the areas that you probably shouldn’t. A lot of doctors and nurses, they do a fantastic job and they’re massively overworked. They’re not thinking about security and they’re especially not thinking about some guy trying to break in, right? Tailgate your way into these areas, look around a bit. Eventually you find the areas where they only have very restricted staff. That’s where it becomes a little bit more difficult because it’s not general-purpose medical staff that have access to these areas; there’s only very specific people. You have to work out where those areas are and then figure out a way to get in.
JACK: Cool, this is some good recon; maps of the building, scrubs? He knows where the helipad is, but it’s not publically accessible. He thinks he now has a good idea of where he needs to go the next day, so day one is over.
FC: Went back to my hotel room, weirdly tripped over something in the night, and hurt my foot.
JACK: Specifically, his toe hurt a lot. He tried to sleep the pain away but in the morning his toe still hurt a lot. He’s hoping it’ll just go away because after all, he’s got a helicopter to steal today and there’s no time for a hurt foot to be slowing him down. He goes back to the hospital but now he knows exactly where to go to try to get to the helipad. He gets to the door that he thinks will lead him there, but the door is locked. He doesn’t have a key and he doesn’t think it’s safe enough to try to pick the lock. [MUSIC] So, he does a different trick.
FC: One of the ways I got into the area that I needed to was I used a pen. What you do is, if you want access to a door and no one’s around, and you want to tailgate through it, and you don’t have any kit to bypass the RFID reader or whatever, you place a large pen up against the doorjamb, so the crack between the door and the doorjamb itself, right? Then you walk away. When someone comes through the door, the pen falls into the gap and then it stops the door from shutting again. That’s the trick that I used to get to the area that led me up to the helipad. I used this gigantic pen, put it up against the gap of the door, someone came through a couple of minutes later, the door didn’t shut. I went up to it, opened it, walked through. It’s a really nice, simple trick.
I’m going up the stairs towards the helipad and I suddenly realize I’ve – other than being told the model of it, I know nothing about helicopters. I phone my friend, a colleague at work, and I’m like, hey dude, I need to know how to get into this make and model of helicopter, right? I swear to god, I have never had a moment that has been more like the Matrix than this moment, where I’m running up to the stairs and I’m asking how to get into this helicopter, just like Trinity does. We get up on the helipad and there’s no helicopter. It’s literally just not there. I phone the client and he’s like oh my god, I didn’t think you’d actually get there. We haven’t actually taken delivery of the helicopter yet. So, it’s like oh, great, thanks. Well, that’s over, then.
JACK: Whoa, this almost seems like a mission from Grand Theft Auto. But it seems like this was a success even though he didn’t actually steal a helicopter.
FC: So, my toe, I’d hurt my toe overnight and it’d been getting more and more [00:20:00] painful throughout this test, right, and you do a lot of running when you’re doing social engineering tests; running up and down stairs and running through corridors and whatever, and running away from security guards. But my toe was absolutely killing me so when the client, after I’d spoken to him about the missing helicopter, he’s like okay, come up to my office which is up this massive hill. I was like, do you mind if I don’t? ‘Cause my foot really hurts. He was like okay; I’ll meet you at the hospital. So, he came down to the hospital and he’s like, how’s your foot? I’m like, it’s absolutely throbbing.
So, he has a look at it and he’s like, I think you’ve broken your toe. I’m like, what? So, he escorts me to where the A and E entrance is, so emergency room section of the hospital. I go into the emergency room. I have to wait for a bit and then go and get x-rays and it turns out I had actually broken my toe which is annoying, but what was funny was a lot of the staff, they knew that I was there for doing this attack ‘cause word had already got ‘round. They were actually really cautious with me because they thought this was actually part of the assessment. I’m like, I am not gonna break my own toe to get into somewhere I shouldn’t. There are some lines I just won’t cross and destroying myself to do that is one of them.
JACK: He had his foot treated at the very hospital that he broke into. Crazy. [MUSIC] He did penetration testing for that company for a number of years and it wasn’t always physical penetration testing. Often, he would find computer vulnerabilities in their network too, which made him get better and better at hacking into computers. Over and over he was given the green light to try to hack into a company, and many times he found something which got him access to data that he shouldn’t have access to. With all this practice, he was getting really good at offensive hacking and breaking into buildings. After a while, he was able to get a job at Raytheon which is a research and manufacturing company that develops technologies like aircraft engines, avionics, and yeah, cyber-security software, too.
FC: Based out of the US, but they have a UK contingent over here.
JACK: FC joined their team. His job was…
FC: Head of offensive cyber-research. Basically, Raytheon are a kinetic company. They’re the people that build things that fall from things, or get shot from things. They have offensive cyber capability as do many other defense firms.
JACK: He wasn’t willing to go into any details about what he did at Raytheon as head of offensive cyber-research. But just judging by that name alone, offensive cyber-research, it seems like Raytheon is possibly building cyber-weapons, like maybe a vulnerability or some software to attack an enemy with. Let’s not forget they also make missiles and other kinetic weapons for the US government and other governments. Let’s also keep in mind that places like NSA and US Cyber Command carry out cyber-attacks all the time. Yeah, I guess there is a market for this and I guess it makes sense that Raytheon might be building cyber-weapons, too. At the very least, I can imagine Raytheon is pretty well-equipped to build software to exploit airplane systems, right? Since aviation is one of their specialties.
FC: They’re very intwined, obviously, with governments all around the world like foreign and domestic ones. That’s very much part of my life.
JACK: Hm, I think I see where this is going. I’m just now connecting the dots, here. FC was doing offensive cyber-research at Raytheon, and Raytheon’s biggest customers are governments which he said became a big part of his world. Did you work for any of the intelligence agencies of the UK, though?
FC: I can’t comment on that, actually.
JACK: Okay, fine, I won’t push on this anymore. But what seems obvious to me is that the tech and InfoSec experience he was getting was some top-level stuff.
FC: Working with a massive defense prime is phenomenal. You have everything you ever need. Trouble is, it isn’t wrapped up in red tape and whilst I know that the work that I did with them was really beneficial to a lot of people; saved a lot of lives, saved a lot of things happening, took a lot of drugs off the street. All of the good things, right? I know that I did all of that. I knew that when I was in that role, I was serving a lot of good things. However, it wasn’t what was in my heart. I wanted to go out and do more things that would help more people. Help the [00:25:00] nation as a whole, right? Help the nation of the UK and others and just improve their security, because it’s all well and good spending loads of time building these things that help in an offensive manner or defensive manner, but it’s all for naught if the whole country isn’t good.
JACK: He quit his job at Raytheon. Him and his wife started a new company called Cygenta which is a cyber-security company.
FC: We built this phenomenal company; it’s global, and we do a ton of outreach. This is the big thing for me, is it really reaches back into my childhood. I had no one there to guide me, no one to tell me what was a good thing to be doing, no one to give me that moral compass. I had to find that myself. We see – we just released that today, actually. We have seen over 6,000 children face-to-face this year alone.
JACK: Actually, we recorded this last year so those are 2019 stats. But he still goes to a lot of schools to meet these kids.
FC: That’s going to schools, doing events with schools. We’re part of the NCSC’s school’s help program, we’re part of TeenTech, we’re part of a whole bunch of other things that get us in front of kids to talk to them and inspire them about cyber-security and show them that there’s this fantastic career that they probably don’t even know about and the teachers probably don’t even know about.
JACK: I like this because teenagers committing computer crimes is a big problem that not many people are willing to try to tackle. Teens can stumble on a powerful and dangerous weapon like an exploit or denial-of-service tool, and launch it upon someone, not even knowing it’s illegal or malicious. Or they might have a curiosity towards tech or just need guidance to use that curiosity for good. FC goes to school and gives free talks to teens.
FC: Generally, they start with ‘I rob banks for a living’ which always gets everyone’s attention ‘cause they’re like hang on, isn’t that a criminal thing? Then we go into it like how do I do it, why I do it, why it’s not illegal when I do it but it would be illegal if other people did it. It just tries to capture their imagination a little bit about – there are some interesting jobs out there that you may not have heard from your careers advisor.
JACK: Very cool, but some talks he gives students are really quite powerful and eye-opening to them.
FC: One of the things we do is we’ll get people up to show them how spear phishing works. This is all well and good; if I get on stage and I perform a spear phishing attack or any kind of hack, I’ve already introduced myself as a hacker. I’ve been doing it for many years, I’ve got loads of skills. If I get up and do a thing, then everyone’s like well yeah, he’s a hacker; he’s gonna do that, right? But if we get someone up from the audience and we talk them through how to do the procedures, even if it’s something simple like a spear phishing attack using the SE toolkit, then it becomes really more impactful for them and for the audience because the audience is like oh my god, this person who has never done this before is able to put in all of these commands and then take over this network like, really easily, in like, twenty minutes. How easy is it for someone with actual skills? It becomes a lot more impactful when you see someone who doesn’t have those skills originally. It doesn’t take a lot to really show someone how easy it is to do.
JACK: I mean, I’m betting some of my audience is wondering wait, aren’t you teaching some of the bad kids to do bad things?
FC: Yeah, I always get this question, like oh, shouldn’t you be careful what you’re telling people? You shouldn’t be teaching people how to pick locks; you shouldn’t be telling people how to break into places. It’s like, okay, criminals are gonna crim, right? It doesn’t matter what you do. You can teach them stuff and they may go and use it, but there’s gonna be a whole bunch of kids that will take it and make a good thing out of it. It’s more important to decimate that information and hope that most people are gonna be good guys than it is not giving that information on the off-chance that there might be someone maybe that does something bad with it.
JACK: Now, while teaching kids about hacking is something FC does a lot, it’s not the primary goal of Cygenta. A company needs to make money and going around giving these free lectures is just a dream come true for him. But to enable him to do that, Cygenta works with clients to improve their security.
FC: Yeah, essentially. But we wanted to do it in a way that encompasses physical, digital, and the human side of cyber-security.
JACK: Yes, the human side of security is still an important factor to test and make sure that the people in the office are able to stop potential attacks or criminals, which leads us back to another penetration test that Freaky Clown did.
FC: I was asked to go and do a physical assessment against a very large government site in a European country, [00:30:00] so not in England. It’s in a country that I don’t speak their language. I didn’t have time to reconnaissance myself; I had to rely on someone else that was there. I phoned up my colleague and I said look, I know you don’t do physical stuff but can you go and check out this building for me? You’re in the country, it’s not far away from you. Just go and check it out and then look at all of the security issues and just relay them back to me. He phones me back up about it and he’s like hey man, I’ve checked out this building and it looks cool. There’s loads of entrances, there’s no cameras, there’s very few security people around. It’s gonna be a breeze. I’m like okay, that’s a bit different to what I was expecting, but cool.
JACK: Freaky Clown hops on a train a week later to head to this country to do the work. While on the train, he looks over his objectives and it’s simply to gain access to the building. He thinks he could probably at least get into the front door and from there, he might be able to convince reception that he wants to use the restroom or something. Okay, but at the same time, why not try to go to every floor on the building and all the buildings in the campus and just try to access as much as possible, just to show his client how successful he was? He arrives at the building.
FC: [MUSIC] I turn up at this site and I swear to god, it is the most secure building I have ever seen in my life. I don’t know what building this guy had looked at, but it wasn’t this one. It turned out, afterwards I found out they have three hundred CCTV cameras, internal and external. They’re watched 24/7. They’ve got one really well-guarded entrance and within the building are policemen moving in groups of two, and they have guns.
JACK: These are security guards?
FC: No, no, no, these are actual, genuine police in this building. This is a government site. They have proper people in there. It’s not just like a flyboy, third-party security group. It’s like, genuine people.
JACK: Okay, this does sound hard. FC doesn’t speak the language so his social engineering tricks just don’t work here because of the language barrier. He can’t even read what any of the signs say on the building. So, he takes a closer look at the front door to assess the situation.
FC: Can’t walk through the front door. They’ve got a revolving door with RFID.
JACK: You need an RFID card just to walk into the front door. Yeah, while it’s possible to clone one of these badges and get through the front door, the security measures didn’t stop there.
FC: Once you get into the door, it’s all made of glass so you can see there’s reception to your right, there’s two reception staff, there’s four security guards, then there’s further security gates like the tiny little sliding glass ones. I’m not gonna be able to jump over them, or I’m not gonna be able to distract one of the – or both of the security staff. There’s only me onsite so I can’t use any distraction mechanisms. That’s gonna be really difficult.
JACK: Front door is out; it’s just too heavily guarded. He walks around the back of the building to see what else is there.
FC: The back door, side door, all of the side doors are shut. They’re all one-way exits. Everyone has to go through this thing. They’ve got a loading bay but that’s pretty well covered with cameras. It was like, can I get into the building? At this point, I’m thinking no, I literally can’t. There’s no way I’m getting into this building whatsoever. I actually phoned up my account manager and I said to him look, I can’t do this. I’m not getting into this place. I’m not even gonna try because to be honest, I can’t speak their language and the only thing that is stopping them from shooting me is a letter that’ll be in my back pocket.
I don’t know if you can picture the scene that was in my head at that time which was I break in, I get seen by two policemen who pull guns, who are yelling at me in a foreign language, and then I go to pull something out of my pocket as proof that I should be there? I don’t think that’s gonna go well at all. I’m like, I’m not doing it. I’m just not doing the thing. He goes, I knew you’d say this but you always pull it off, so just think about it overnight and go back. So, I’m like alright, whatever. I recon the building for a couple more days, putting it off as much as I can. I’m like shit, how am I gonna get into this building? This is truly well-guarded.
JACK: [MUSIC] FC kept going back to the building to look around at different times of day, trying to figure out if there’s any weaknesses at all in this building so that he can get in. He notices something at the loading bay where the trucks pull up for deliveries. He looks around there for any opportunity to get in, but he’s not sure.
FC: But it has a unique physical layout. It’s these [00:35:00] two ramps that come down to the door, so it’s an underground loading bay. As I’m looking through options into how to get in, I’m up really early one morning and I’m looking at the building. I just happened to be around the back of the building when I noticed that the sun, at a particular time of day, is shining down one of these ramps and is basically just highlighting one of the cameras. It’s then that I realized that if that sun is shining on that camera at that time, it’s probably whited out and it can’t be actually doing anything. You can’t be able to see anything unless they’re really lucky and got some really good light optics on it. It’s probably gonna be the only way in, so I had to wait until that time the next day and then quickly run down that ramp and get in through the loading bay whilst it was open, and then hope that nobody saw it.
JACK: Sure enough, that camera wasn’t able to see at that exact time of day because the sun was blinding it. If you were staring at the footage from that camera, you wouldn’t have seen him walk up, you wouldn’t have seen him open the door or go in, but all you would have seen is one frame where his foot went into the door. This worked. FC was in the building and nobody saw him or stopped him.
FC: I get into the building, I’m into the loading bay, and it’s pretty much empty. [MUSIC] There’s some glass doors right at the back going into the offices. Yeah, I’m like okay, I’m pretty relieved. I’m still expecting someone to turn up any second ‘cause they’re probably pretty much on the ball, and I see some people walking past this glass door. The door’s locked, right, so it can’t be opened from the loading bay side ‘cause I don’t have a key or anything like that. I’m banging on the glass trying to get someone’s attention and eventually someone sort of sees me and is like, looks at me quizzically through the door. I’m like, I forgot my pass. I can’t get back in, hoping that they sort of understand English, and I’m gesticulating with my arms as much as I can. Eventually, he just opens the door for me.
I’m like okay, cool. This is actually pretty cool. I walk into the main office area and I walk about, I don’t know, twenty, thirty feet to my left, and I take a right. Standing in front of me are two of these security guards. All I can fixate on is their handguns. They’re looking at me and then they sort of just say hello. I sort of nod at them and wave, thinking this is never gonna work. This is gonna last like, two seconds, and I’m arrested. They just nodded at me and walked off. I was like, oh my god, have I just got away with that? Is that how easy this is gonna be today? I wait until they’re out of sight, and I just run. I run off, like just peg it down this corridor, up some stairs, until I can find a toilet to sort of sit in for a bit and just gather myself and be like oh my god, how the hell did I get away with this? This has like, been fluke after fluke. That was one of the scariest moments, I think, for me.
JACK: Well, he’s in the building. This was his mission but of course, he wants to see what other things he can access. After he calms down in the bathroom for a minute, he comes out and carries on, walking down the halls, looking for any interesting rooms to pop into.
FC: This government building had a really nice sort of auditorium for hosting other governments and they had a lot of translation booths, etcetera. I managed to get into one of the translation booth parts, so where the interpreters sit. Whenever you look at a movie and they’re like – got the people with the earpieces talking, translating, and stuff. That’s where I was stood, in one of these things. I started playing with the kit around me and I noticed that there’s actually some really good network kit hidden in the cupboards, so I got the cupboard open and I put in a Raspberry Pi into the network. I just plugged it in, configured it, and then just left it there so that we could remotely access that network from outside the building.
JACK: A Raspberry Pi is just a mini-computer. It’s about the size of a deck of cards. It’s easy to hide and is perfect for hackers like him. His had a cellular connection on it so he could access it from home or anywhere in the world. Then, once he accesses this Raspberry Pi, he’s on the network inside this building, so he’s got inside access to stuff and from there, he can hack into the place further if he needs to. He keeps exploring this building and something he saw when he was walking around outside is that this building complex actually consists of three buildings, and there’s a little bridge that connects [00:40:00] each building from one to another. He finds the bridge that goes across to the other buildings but there’s a problem; mantraps.
[MUSIC] A mantrap is like a little glass room just big enough for one person to enter. The goal is to remove the option for people to tailgate through the door with you. One person enters, the door closes behind them, trapping them in there, and they have to show their ID. That might be a badge or a fingerprint, or an eye scan which proves their identity and the opposite door opens, allowing them through. Many also check the weight to make sure you aren’t carrying anything big through, or that two people aren’t coming through together. Now, I probably would have looked at this and said forget it; it’s impossible to get through that, and go somewhere else. But FC thinks of this differently.
FC: Yeah, but this is the point, right? My job is not to get in and do the thing. Whatever the goal is, whatever the client wants me to do, that’s not really my job. My job is to push the boundaries until I get caught.
JACK: He’s determined to get across this bridge into that other building, but in order to do that, he would first have to go through one mantrap just to get onto the bridge, and then once he’s across the bridge, he has to go through another mantrap to get into the next building.
FC: I had to basically tailgate through those and that becomes a little bit more awkward because if you’re in a mantrap, you generally don’t have a lot of room. I waited until I found someone that kind of looked a bit nervous anywhere; the milk toast-type person where they’re just not very confident and you know they’re not gonna answer you back or anything like that if you get argumentative with them. I saw this one guy and he must have been mid-twenties, something like that, quite young, looked nervous as hell, maybe his first week or whatever. He goes into the mantrap and I literally just run straight into him, slam straight into him and we’re like oh my god, sorry mate, I didn’t see you there. I was trying to get through the mantrap door. We’re now face-to-face, almost cheek-to-cheek in this little mantrap as it’s revolving round. We’re like, sorry, that was really awkward. He doesn’t know what to do with himself and I’m just trying to make it more and more awkward by getting closer and closer.
I didn’t need to; there was plenty of room for two people in there but the more awkward you make it, the more likely they are not to confront you about it. We get out of that one mantrap and we go to the next one and obviously, it’s not expecting two people so I have to cram in with him again. Now it’s slightly less awkward for him; this is now the second time he’s been in very close proximity to me, but he still doesn’t know how to react to this, so I’m just trying to wait for this door to revolve around and we get out to the other side. I know this building is the one that has the main entrance to the main exit point, as well. I say sorry to him again and I sort of go off in the opposite direction. Probably the weirdest thing that’s probably ever happened to him in his entire career. I run down some stairs. I get into the main reception area.
JACK: He’s now at the front entrance. He wants to try to leave the building in order to accomplish this mission but to get out, there’s a little gate. There’s a reception desk and a security desk but remember, you need a badge just to open the front door and then another badge to get through this gate to get into the building.
FC: All I’m doing is thinking oh my god, what if they need the tag to get out? [MUSIC] I’m gonna approach a security desk and the security guard’s there, and if it needs a tag to get out, I’m kind of screwed. I’m trying to put on a brave face as I go up to this exit and thankfully, it’s just an infrared beam that detects if someone’s there and it just opens the gate, and I walk through. Okay, I really hope that I’m gonna make it between these security gates and the door which is only like, thirty feet. But if someone is gonna stop me at any point, it’s gonna be now. I sort of just pushed the door open, walk out, out onto the street, and then run away. Like I say, there’s always running to do in social engineering.
JACK: Nice. He did it; he accomplished the objective which was just to get into the building. Not only that, he got into two buildings and planted a Raspberry Pi for further exploitation later. Now, FC likes to try to dress like the people who are supposed to be in that building, and this way he can blend in better and looks like he belongs.
FC: I always dress how my target audience is. I broke in the first time, the beginning of the week, into this building, looking exactly the same as everyone else. No one really paid me any mind. Broke out, [00:45:00] went back the next day slightly dressed down. Again, no one spotted me. By the third or fourth time, I was dressing a complete slob. I had like, really ripped jeans, I was still wearing my baseball cap, I had a fake tattoo sleeve on, T-shirt with the logo on it, all the stuff that they shouldn’t be allowed to wear in this building. Nobody was still paying attention. [MUSIC] Part of my job is to take photographs of evidence of where I’ve got to so I’m thinking okay, I need to step this up a little bit. I go back down to reception and I’m like hey, I forgot my jacket. It’s upstairs; I need to get something out of my car. Can you let me back in when I come back?
The receptionist is like yeah, sure, no problem. I go out to my car and I get a massive SLR camera with a huge lens on it. I come back in and the receptionist, funnily, let’s be back into the building ‘cause she assumes that I work there, right? I walk back up onto the – I think it was the Finance and HR floor and it’s quite a restricted floor. I’m like alright, how much can I push this? I stand on a chair which is not normal office behavior, or at least, the offices I worked. I stand on the chair and I start taking photos with this massive camera, of unlocked desktops and all sorts of security issues. When all of a sudden, this woman appears from out of nowhere. She’s like, excuse me, sir? I’m like oh great, someone’s finally spotted me and is going to ask what the hell I’m doing there, right? She’s like excuse me sir, are we gonna be in a magazine? I’m like, kind of. Let me just carry on taking some photos. It’s bizarre what you can get away with.
JACK: By the time the assessment was over, Freaky Clown had gained access to all three buildings and had poked around on every floor of each of them. While the front door and exterior looked impenetrable, he still found numerous ways to get in which allowed him to build a report for his client who was happy to see all the ways they can improve security. Obviously, they had taken this very seriously so they wanted to make it better. Over time, FC has done many more penetration tests and physical assessments, and one thing he keeps getting jobs doing is breaking into banks.
FC: At one point I was breaking into eight high street banks a week. This is how many I was doing at one point. We – working down the country to all these banks and one of the area managers didn’t understand the test or the point of the test, and he thought we were there to really show him up. What he did was he called all of his branches and told them that we were coming in which is a big no-no. I walk up to this high street bank and I’m just sort of ushered to one side which is a bit odd for the story that I’ve given them, which I’m not gonna give you because that would get you access into basically any bank, right? I get ushered to the side and I’m like okay, this is a bit odd. Ten minutes go past, twenty minutes go past, and I’m like oh man, this is not going right. All of a sudden, blue flashing lights appear. They have a armed response coming to the bank. It’s like oh mate, what have you done? I had to explain to them what my role was and what my job was, and I was there really trying to rob the bank but not really as a criminal, which is always an interesting conversation to have with police.
JACK: Now, when a social engineer gets caught, typically they try to figure out a way out of this situation, to lie or make up a story just to get out of it. But since the actual police were involved, he knew he had to come clean with why he was there.
FC: There’s a couple of fails in this; was one, the client telling the branch that I was coming, but two, the branch massively panicked. There’s a whole set of policies and procedures that they should go through if they think they’re under attack like this. What they did was, they circumvented most of them and went straight to calling the police. The interesting there is, if they were charged with wasting police time, and you can only have about three to five of those per year before you get blacklisted, so if they had any more of those, then they’re not gonna get armed response that quickly ‘cause it’s just gonna be – the police will be like well, they’re wasting our time. It’s a ridiculous rule but it does happen. They really messed up with that one really badly.
But the interesting thing there is, I obviously have a letter explaining who I am and what I’m there to do, and I have authorization, etc. But this was one of the very few times that I’ve ever had to produce it. But the thing is, I’m always carrying two; the second one is actually a fake. That fake one has basically the same information but with numbers that relate to a [00:50:00] colleague’s. So, when the branch manager phoned it up, they were actually phoning a friend of mine. He said no, no, no, he should definitely be there because we’re testing that procedure as well. Are they doing everything that’s written on the letter which says phone them using your internal phone system? Don’t use the numbers that are here. If they’re not following that, then that’s another fail for them.
JACK: Yeah, when the police are involved, you just don’t want to play games with them. He had to come clean on everything and they called all the people who he said gave him permission to do this. They found that everything was legit, so they let him go. But Freaky Clown doesn’t always go onsite to rob banks. Sometimes he can just rob them through the internet.
FC: [MUSIC] Getting into banks over the internet is probably even easier than physical assessments because you can hit anywhere on their environment to get in. There’s always loads of little flaws that you can take advantage of.
JACK: Like, what are some of those flaws?
FC: A lot of cross-site scripting, a lot of SQL injection, bad configurations of network defenses, using some interesting techniques where you blend a bit of the physical and the digital side. Sometimes what we’ve done in the past is created a physical device, break into the bank itself, implant that physical device, and then use that to gain access in. This really comes back to the whole core of Cygenta; it’s like, if you don’t have physical sorted, then it doesn’t really matter how good your defenses are digitally because we’ll just use the physical bit to get past all of that. Yeah, there’s a ton of techniques that a lot of pen testers use for getting into sites but because it’s a bank, it doesn’t make it any better, to be honest. They’re generally a little bit more lax in some areas because of – they’re so huge, they can’t always update everything that they need to do.
JACK: While he’s hacking banks’ networks over the internet, he’s sometimes able to fill his bank account with money.
FC: Yeah, so one of the pitches I love to show to kids when we’re doing a lot of outreach and I’m talking about how we rob banks and how we do all these fancy things, is I show them a picture I took some years ago of an ATM of my account after doing one of these assessments. What it does, is it shows a picture of about five or six different accounts and in each one is more than a million pounds that we’ve taken out. Obviously, we have to give the money bank; that’s part of the ethics of it but it shows that once you’re into those systems, you can very easily transfer out money to wherever you need to.
A lot of the defenses that banks use are – it’s very complicated because they have people that know how to transfer money, like bulk money, and they have people that know the computer systems. But they have this weird separation where they go okay, the people that know how to transfer the money don’t understand the technicalities that they need to circumvent, and the people that know how to circumvent the technicalities don’t know how the money-sending process works. We’re kind of okay with that, but when you get an ethical hacker that comes in that knows a bit of both, then that’s when all sorts of trouble can happen. Then you can literally just siphon out millions of pounds out of the bank systems into other accounts.
JACK: After hearing this, I think most companies aren’t ready for a skilled social engineer to break into the building to try to steal real assets like this. Office workers get a yearly security training where they teach you how to spot phishing e-mails, but I don’t think it teaches you how to handle a phishing call, or a person asking you to open a door for them because they forgot their keys in their jacket upstairs. We want to be nice and helpful to others and often, we are. It’s often said that the human is the weakest link in security, and scammers and criminals can manipulate people to carry out attacks a lot easier than manipulating a computer. But what’s also true is the human is often the strongest link, too. With the right set of eyes and a well-trained staff, it can drastically reduce the vulnerabilities in the office.
There are troves of stories about how one person ruined an entire plan for some hackers; like for instance, when a hacking group broke into a bank and attempted to transfer money to their accounts, it was a human who saw that transfer was a little odd and decided to flag it to be followed up on. Sure enough, it was not an authorized transfer and this one person stopped this cyber-attack which took months of planning and preparations. I think if you want to have a secure environment, it really needs to be the job of everyone [00:55:00] in the office to help keep things secure, starting with the CEO or president, and working its way all the way down to the nightly cleaning crew. With proper training and education, the human can be the strongest defense to cyber-threats. In fact, a lot of times it’s our only hope.
JACK (OUTRO): [OUTRO MUSIC] Thanks so much to FC, Freaky Clown, for coming on the show and telling us your stories. This show is made by me, the hash-smasher, Jack Rhysider. Sound design was done by the curator Andrew Meriwether, editing help this episode by the devilish Damienne, and our theme music is by the space senpai, Breakmaster Cylinder. Even though somewhere in the world, a company was just breached and the CISO said how is that possible? We’re PCI compliant. This is Darknet Diaries.
[OUTRO MUSIC ENDS]
[END OF RECORDING]