DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)
HTML-код
- Опубликовано: 21 ноя 2024
- Speaker: Jayson E. Street CIO of Stratagem 1 Solutions
This is not a presentation where I talk about how I would get in or the things I might be able to do. This is a talk where I am already in and I show you pictures from actual engagements that I have been on. They say one picture is worth a thousand words I show you how one picture cost a company a million dollars and maybe even a few lives. In a community where we focus so much on the offensive I also make sure with every attack I highlight. I spend time discussing what would have stopped me. We need to know the problems but we need more talks providing solutions and that is what I hope people will get from this. I show the dangers of Social engineering and how even an employee with no SE experience can be an eBay James Bond which can cause total financial ruin to a company. These Security threats are real. So are these stories!
For more information visit: bit.ly/defcon19...
To download the video visit: bit.ly/defcon19...
Playlist Defcon 19: bit.ly/defcon19...
As a pizza hut driver, I can confirm how easy it is to get past security. As long as you seem like you're supposed to be there, 19/20 times no one will stop to question you.
In a lot of places, a green hard hat and a clipboard repel every one . No one wants to talk to the Osha inspector...
@@joshfloyd7755 a white hard hat and a ladder works a lot too.
Exactly it all comes down to if u dont look like being someone Who isnt supposed to be there or dont look like your doing something shady No one will notice you or think twice about what you are doing
thats social engineering.
how much security is there at pizza hut lol.
As an Air Conditioning mechanic with a very nice uniform and tool pouch, with appropriate name badge and company logo I was admitted to some of the most secure sites in all of
Southern California, including IBM. and several federal buildings. I was only asked to produce Identification one time and that was an FBI site. The front desk would take one look at me and I would ask to speak to the building manager who would then escort me to the server room and rooftop where the equipment was. That FBI site was very different, as I was escorted by someone with a little hand held siren and flashing light. As we walked down the corridor to the server room I watched doors slamming shut as we approached within 20ft. So cool.
seems like the fbi know exactly what to do
bullshit
😂 pen testing is real
I have heard your podcast
I used to sit on the planter 15 feet from the guard shack at las vegas fbi building smoking a meth pipe.
I work in childcare and this is so important. We have pissed off so many parents and grandparents just because we had never seen them before or because they aren't on the enrolment forms. The only thing worse than someone stealing data is someone stealing a child. Constant vigilance!
Any parent or grandparent who gets angry when confronted with that situation doesn't care about the child at all. Keep fucking up their day with a smile on your face.
It's just natural instinct to get pissed off when you are going to pick up your kid and you are immediately treated like a child rapist. I'm a big gruffy guy and the daycare wouldn't even open the front door to talk to me. It's a giant over-reaction by the industry my kid is way more likely to die by car accident on the way home than be nabbed by a stranger.
Same thing at a hospital I worked at when a baby couldnt be found in the NICU. It was never someone abducting a baby but we still posted guards at the entrances with orders to search all bags leaving the building.
You don't want me looking in your purse/backpack? Sorry ma'am/sir , you're welcome to have a seat right over there until the code is resolved but unless I've searched your bag. You ARE NOT leaving this facility.
there's only one thing worse than a rapist
a child
NO
This. I once had to pick up a relative after other relatives were indisposed. However I had never picked up the relative from school before and the school almost refused me access but I presented ID and explained the situation, which involved hospitalization, and this was their solution.
As the Head Teacher talked to me about the need for security they quietly brought the relative in question into another room wherein there was line of site to me but without me seeing. Naturally my relative confirmed my relation to them and the Head Teacher brought the relative in and then the apologies came but I politely rebuffed them as I considered their actions more than appropriate.
Im a delivery driver and Ive had people let me into secure locations to complete a delivery. I carry a box to a door near the smoking area. Almost always, someone will see you with your hands full and offer to swipe their card and let you in.. Saves me tons of time
As long as you're in uniform.
@@Speed001 I'm a delivery driver for a small pharmacy. I'm in plain clothes. I'm never holding something with more than one hand. People still just let me in if I knock and wave.
@@Speed001 uniform doesn't matter. While I was going to school for cybersecurity I was also a pizza delivery guy. You'd be amazed how many places you can get into with a pizza bag. Even secure places. People are all too eager to let you in when carrying pizza
Pizza bag, the new clipboard.
I'm a contractor. Carrying a toolbag with some paperwork and I can walk into any building without ever getting questioned
I used to work for a high speed cable & connector manufacturer in the design division. Not long after I started, I was offered & accepted a slot in the ITAR team. ITAR, basically is the military equipment systems (I was offered the position because I was really good with 3D design & concept modeling, and I am a veteran, so they figured getting a security clearance wouldn't be an issue & would process quickly. Which it did). Immediately after getting approval to work on ITAR projects, I requested a monitor filter so only I could see my screen, or rather you had to be directly in front of it to see it and turned my monitor so people passing by my cubicle couldn't see my screen. I also locked up my cabinets & drawers every time I stepped away from my cube. And, never left papers laying around and until I memorized passwords, I kept the notes in my pocket in a small notebook or in my wallet. Now.... the funny thing is, my diligence on security frustrated other designers & engineers because they couldn't just swing by my cube and rifle through my desk and hand to stand behind me when going over 3D CAD models. My standard answer to their bitchy little rants to me was, "well I'm working on ITAR, and I'm not going to risk my security clearance or the company's ITAR certification because we regularly have foreign nationals in the building, for your convince. I take security, seriously". That usually shut them up, and I even saw a few engineers loose their ITAR cert after complaining to management about my personal approach to security (really I was just following the rules), because they didn't take it seriously.
I've known about your profession for a long time and always thought it would be cool to do what you do. Cool video. Thanks for sharing your thoughts and knowledge. Keep up the great work. 😎👍👍
Semper Fi 🇺🇸
Nice wish I have your job but I’d need to work on my safety security knowledge.
ITAR? Utah!
In Communist Russia they did not have "ITAR"... they had "we tar".
Once upon a time, I worked for ups. I can guarantee, that when confronted with authority or a developed sense of trust/ignorance, individuals will cave and allow access to sensitive items and information. Also, many individuals are dumb as hell with no sense of security and will often ignorantly leave sensitive locations open with no security. I once delivered a package to a company that consisted of an office and warehouse. Upon coming to the location, I walked in the front door, saw no one, proceeded to venture through the building walking into multiple offices and into a warehouse with hundreds of thousands if not millions in product, I then walked into the security office, found a name badge and dropped the package off under his name.
Don't worry though, I did walk off with some loot. I managed to steal two water bottles out of the fridge like a freakin smooth criminal.
It’s amazing that even this talk is 10 years old, it’s still relevant. Says a lot about the evolution of physical security.
DEAR GOD NO
Yeah this presentation is legendary. I watched it when I'm 12, now I'm coming back 10 years later
yeah… i spent quite a long time thinking defcon 19 meant it was 2019 and was wondering why the quality was so bad…
@@motrinmedic No your mom doesn't amaze me that much anymore
Here 3 years later to ask: What evolution? Oh no, I had to buy *different* specialized picks and bypass tools 😢...🙄
Honestly, one of the most secure places I worked at was a small engineering firm. You know why? There were 10 employees, one IT guy, the door required you to walk past the nosiest office admin in the world, and the UPS guy was the same every time. Everyone knew every time work was being done in advance, and when people from the parent company were coming, and the only flaw I saw was that the bathroom was right next to the 3D printer room, but that had glass doors in a high-traffic area, so anyone could see if someone was in there. The door badges were separate from the alarm, which everyone had a different code for, and both reported to the security log on who opened or deactivated what and when, which the office admin regularly checked. I'll admit that I memorized a senior coworker's alarm code when I started, but that's only because my code hadn't been working, and everyone knew that.
He's so right about management being reactive and not proactive. I work security for a building in a major city, and our contractor network has so many holes in it that basically anyone with a hardhat, reflective vest, and a clip board could slip through unnoticed at any time of the day or night. When we mention it to our management, one of us gets written up or fired, and the problem continues. They do the bare possible minimum by terminating contracted employees rather than actually admitting fault and fixing the issue.
High visibility clothing sometimes does the exact opposite. Hiding in plain sight.
Sounds about right for management in today's climate: cheaper is better.
as a carpenter i have gone all sorts of places, just by looking like i work there. I don't do anything, mostly i just do it to check out neat projects. I did get sweet parking at the airport once because their work trucks looked like my work truck.
Sounds like somebody doesn't want that back door being closed
Used to do accreditation (is that the proper term?) for venues and festivals for a while. Basically, no one's allowed backstage until they come tell us what they're there for. You probably must've seen the pictures on Facebook "this is my guitar that got stolen" by some guy in a band when he kept his stuff in the backstage. It happens a lot. We know that, so we try to avoid it.
And unsurprisingly, i've actually had people trying to get in the backstage, though they didn't seem malevolent - i was never sure. Mostly just drunk adolescents. (its a festival after all) Heard a lot of bullshit and flimsy shit, i don't think i ever let someone through that wasn't allowed to. But festivals are pretty busy and all that and most of them are always edging towards complete chaos and collapse.
The maintenance and tech teams that keep passing by all day, in their reflective clothing, carrying some big cables and other heavy equipment around? They never get asked. I really can't even, they usually just walk up and down all the time, stopping them everytime would just be ridiculous. Its incredibly easy to blend in with that and just sneak past.
So if you ever want a free ticket inside a festival, all you need is a reflective vest. There you go - enjoy.
I'm not even in security and I loved this talk. Hilarious delivery. If things don't work out for Jayson in security, he can always do stand up.
I was in a special Marine Corps security unit and I think this guy is ego based, unrealistic and has unrealistic expectations of normal workplace relations and personal actions with ones own personal property. If I left my items at my work space and some ego driven dude steals my shit it won't be a scenario anymore, he's getting fucked up. I've seen guys like him before that overuses their few opportunities in life to be billy bad ass, it's not the professional stuff I'm talking about, it's the seizure of people personal goods (assuming they know nothing about any of this). He's essentially doing individual OpFor but seems way to glib about it.
@@whatabouttheearth Fair enough assessment.
Hahahaha. Employees that get treated like shit aren't going to care about some companies financial security.
Rule 0 Don't treat your employees like shit.
sorry, i can't count to 0.
exactly, the only real security solution is to make sure that all the workers actually have a reason to be interested in their work and its security, if not by turning your workplace into a worker-run horizontally-organised democracy in which everyone has a stake, then at least by actually paying people enough to care
You had an easy life congratulations
Ed Peck I like the horizontal model for businesses, but I also feel no matter how democratic a workspace or how much someone gets paid, you’ll still get a work environment where people don’t give a shit.
Work and most jobs suck.
An alert and educated work force is truly dangerous. They might realize how bad they're getting shafted.
You must not hang out with folks who have a bit of a twisted sense of humor...
It will never happen. If it could happen it would have.
for reeeeeeeeeeeal
That means You!
" I hate when they steal my stuff that I stole " best part
If there's a red button, I'm pushing it twice.
Can you imagine being his mother when he was a toddler? Same kid who would stick a knife in an electrical socket, turn on a stove and sit on the burner, put firecrackers up the kitten's behind, bite the head off a bat to act like Ozzy... And so on. Society really does need people like this to keep us safe from ourselves.
"enforce [...] not with a baseball bat. Ohh, gush that would be fun."
I love that line from Cheech and Chong!
@Ami Riegel You really don't understand the red vs. blue thing, do you? People pay him to check their security, he's there with permission, like that show undercover boss. And he gives the stolen things back. Notice the comment about giving 4 sets of car keys to the manager. He shows companies their weaknesses so they can be fixed. It's an important job, and you are safer because of people like him.
Security officer here. I agree entirely with the contents of this video... physical security penetration is not difficult at all, and usually involves manipulating the inherent human desire to trust others.
The biggest key to security is to *LEARN HOW TO SAY NO AND OWN THAT DECISION.* If you go into an interaction with the goal of verifying identity, *DO NOT LOSE SIGHT OR BACK DOWN UNTIL YOUR OBJECTIVE IS COMPLETE.* A penetrator's objective is to deflect your attention or turn the encounter around on you. They accuse you of being unprofessional or rude; outright ignore these accusations. Remain professional, repeat your question until they acquiesce or leave.
The average person like to be helpful. No one enjoys confrontation except a deviant. Breachers like to threaten consequences to manipulate both aspects. But few employees realize that it's possible to remain professional AND tell someone no. It's a difficult skill to teach in new officers, so imagine how hard it is to teach frontline employees the same thing.
nice to see a comment from you here, your ace combat videos are awesome!
Security companies HATE him, See how one man got past million dollar security with just a pen cap!
I doubt that really was a million dollar system. All he did was prop a door open once getting it open. Security companies just want to cash your check. And so does he. Your security will only be as good/effective as you make it -- with people in the equation, it gets very difficult.
jfbeam i work for a large multi billion dollar hospital that has secure areas that can be bypassed this very way, the more money they spend the more the forget about the basics and SE.
jfbeam it's a joke
lol
@@jfbeam ever heard of a joke before?
You know, it's these kinds of talks that should blow up in the millions.
People don't even need to watch the entire talk, people just need to be aware of the fact that there IS a possibility of a security flaw.
As much as they make it seem, people aren't stupid.
All they need is a what, the who, why, when and where will follow shortly after.
But they are, have to seen what going on in this world 99% of people are fucking dumb.
I used to work security at a factory that had defense contracts.
If you came in without a badge, you parked in visitor parking, signed in with me (didn't need ID) and then signed in at the main office where they would check your ID.
Just walk in, "Where is your restroom" and off you go.... or just not go into the office. We only had one guard at each gate, and guards were required to stay at the gates.
Trying to describe one person to someone else after you have seen 5 other people since seeing them will limit your ability to describe them in detail.
Trying to track that person down when you only have camera's at gates, is laughable.
Tf is wrong with you ppl
You can go just about anywhere with a clipboard and confidence. I went into the reactor building when the Crystal River nuke plant was running. Walked all around, took pictures, and left. I walked right past the guard at the door. Drove a 30 foot crane truck up to the door. I had a work order for FL power but I was at the wrong location. I went in looking for a supervisor. Never found one so figured this is cool, I need photos.
I'm not a hacker or a tech guy of any measure, but I'm so glad I clicked this video. It was eye opening!!!!
yeah its a great talk
Good, more people should be aware
Me too man this is crazy
i bankrupted my company after watching this , it was so eazy .
Rabbi Schlomo Ben Goldbergstein Same dude, I just had to wear a hard hat and nobody was any wiser. It didn’t even make sense, since I work in a kitchen. I was able to redirect all of the paychecks to my name, though. Too easy.
Best job in the world, common sense levels OVER 9000!!!! hotels, banks, and so many other establishments truly do need to empower their employees, obviously teaching ground level security, but also recognizing that nobody working 40-60 hr work weeks for $20,000 a year has a vested interest in the security of the company and that includes the security at the front gate. People that work 6 or 7 days a week are too engrossed in thinking about how to keep on the damn lights, to ever have the thought, "why's that guy been in the bathroom for 2 hours?"
And even if they are, they rationalize they guy's really sick/working/whatever not my business.
I can confirm for sure!
Why did I have to scroll this far to find this comment
But if you look at it from employers perspective - why pay people more if they'll resort to the same excuses about doing the bare minimum? I can somewhat understand that sentiment in large corporations where individual contribution can go unnoticed longer but how can people expect to advance to higher pay grade when they are unwilling to put in effort to show that they, out of all employees, deserve it? Sure, everyone should earn enough to keep their light on - but that's besides the point in discussion about effort and rarely up to decide for the direct supervisor. If one is willing to put in minimum effort only then how can they genuinely expect more than minimum wage?
The comments about creating competition amongst employees is bang on the money. I'm not in IT, just retail, but when you put everyone together doing the same job, we work faster. Seperate us, and less gets done because you're not subconsiously trying to beat someone. Seperating people also means the genuine slackers will be able to get away with slacking off, because their co-workers aren't watching them.
Years ago we had a team competition to find the most mis-picks: all stock arrived from the warehouse with a picking label. If the label didn't conform to what the product actually was, we removed the label, wrote the correct product reference # on it. Whoever got the most mis-picks at the end of the month (adjusted for hours worked) got a _paid shift off_. Management saw that as a cost, so they stopped us doing it. Result? Stock control is out of control, because no one is checking the stock, and the six-monthly stocktake is a nightmare. What was costing them a few hundred a year now costs tens of thousands in 'unknown losses'.
TheOneWhoMightBe lol so you've seen the benefits of a competitive environment and what a disaster a disincentivised one is, yet you still supported a socialist for President... Come on. Really?
separate*
Pretty typical upper management thinking. They will step over a dollar to pick up a dime. Company I used to work for ended up spending $50,000 to fix a stamping press, when maintenance told them that if they would overhaul it right away it would cost about $5,000 for an overhaul. Idiots.
@@littlerhino2006 What Sanders wants to do will make us more competitive. When people are more educated, they can bring innovation. When people are compensated more, they will try harder to be productive. When people are healthy, everything they do is better than if they were sick.
Well, I'm sure the guy that "figured out" how to save those few hundred got a promotion, while nobody is really responsible for "unknown losses"...
Incentive structures ... what's best for an employed manager might not be best for the company and/or long term, especially when one thing is easily measurable, while the other is not.
nothing he said sold me on his claim that he's a bad guy more than his open admission that he drinks diet pepsi.
IS this an inside joke??? Diet Pepsi is EPIC!! Ok Pepsi zero is better but still, as diet pops which aren't Dr. Pepper go, Pepsi is Top Tier.
When he was pissed that bankers got kidnapped TO THIS DAY convinced me.
@Frank Snapp This man isn't a sociopath. He clearly has a conscience
Not the haircut?
@Frank Snapp HUH
"I'd rather get a thousand false positives because at least I know they are actually thinking about security." Great ideas here. Funny because a lot of the "pro" security guys who spend hours a day double checking all their code-based defenses would be put out of work by employees who just follow basic protocols and think about security for themselves.
then these out-of-job "pro" security guys just have to outsmart employers and invent new methods, until the company is forced to employ people like them. This guy even said it himself, he played for both team.
The thing is the regular employee already has a full time job to do, Companies need to stop expecting their employees to do 3-5 separate jobs at once while getting paid the lowest amount possible.
When companies are willing to pay their employees a fair wage for the amount of responsibility and work they put on said employee, Then and only then will they get the results they desire.
Some of us would love it if employees would just follow basic protocols... The number of times I've thrown out the door stop they put under the lunchroom door (which leads from the entire office to reception which is an unsecured area)...
Scientiae Magicae I cannot agree more. If an employer expects me to protect their million dollar investment (their business) then they need to pay me for it. They can say that they are paying me to do this as part of my job, but it is not going to make me care about their business security one iota more. Also if you blow me off when I do report an issue, then chances are I will never report another and not lose one wink of sleep over it either. I used to work in several high security fields and physical security (and bypassing it) is one of my acquired skills. It is usually surprisingly easy.
Hmmm. Almost like ever greater centralization at the cost of individual autonomy is detrimental to work flow efficiency.
I was a touring lighting director with a band for 23 years... I could walk past venue security *_every_* time as long as I had some badges on a lanyard, a roll of gaff tape in one hand and a scowl on my face...
feels like how agent 47 fits in everywhere, no one wants to mess with the bald guy with a death stare
Can confirm, music festival security are either volunteers or contracted workers. I once forgot my badge and the polo/radio combo was enough to get around despite the access control that was implemented.
Same with the film industry. There are "day-players" on set literally all the time so there are always unfamiliar people around, and it's generally organized chaos as it is, especially big and/or on-location shoots. As long as you don't look blatantly shady, everyone just assumes you're supposed to be there. A walkie with an earpiece and maybe a badge and people will assume you're a production assistant, and you could get away with a lot.
I can still do this at many places
@@jincyquones Lol I've done some work as an extra and half the time i was supposed be on set ready for the next scene , I just pretended I was in a hurry to wherever I'm supposed to be, sneak behind the back studio light, out the door and go nap or get a sandwich. Was even easier to sneak back on set even in scenes I was pretty visible there were tiny continuity errors in the background cause I was there and then suddenly not and then back.
Regular security awareness training for ALL employees is essential. With realistic tests. One office I worked in lost a couple of dozen desktop PCs (including screens/keyboards & mice). two men in warehouse coats and a trolley just walked in unchallenged and took the computers.
Install a million dollar security system, contract with a security company that pays $11.50 an hour.
exactly lol If they paid 50 grand starting they'd get some quality guys
Yup if you really want to keep a good employee as in lock in step and keep vigilant every day the pay must equal the risk...I work for a major power company and for real if I wanted I could cripple most of the city for weeks... reason I don't??? THE DECENT WAGE AND BENEFITS THAT I HAVE!! BLOOD SUCKING TOP DOGS WITH MILLIONS TO SPARE DONT GET IT...YOU CANT BUY LOYALTY BUT YOU CAN DAM WELL RENT IT IF YOU PAY A MAN THAT KEEPS HIS HEAD UP HIGH....YOU PEEPS AT THE TOP NEED A LESSON FROM THE OWNER OF DACATTE....NOT SPELLED RITE BUT TRUST HE CARES AND SHARES....OR OLD SCHOOL JAMES CASH PENNY...MY IS CLASSIFIED AS MOST DANGEROUS IN U.S. AS OF THIS YEAR... EMPLOYEES CAN DESTROY YOU...LOOK WHAT HAPPENED TO FORD YEARS BACK WITH THEIR DIESEL MOTORS OVERHEATING....IT WAS A TEAM OF EMPLOYEES THAT DID BECAUSE THE COMPANY CUT THEIR WAGES...THING IS THEY CUT THEIR OWN TROUT LOOSING MILLIONS ON A CANCELLED CONTACT...YOU GETTING IT YET RICH OWNERS???...
@@jimblaszczyk185 Shouty poster is shouty.
@@RogerBarraud what don't you get?
Most security guys ik at low levels get drunk and high on the clock and never report anything that's not super extreme
"Look, I stole your shoelace, and tied a coffee cup to the end of it. Now I've got a deadly weapon."
This is Star Wars Kid grown up.
Actually that kid killed himself. Js
Sean Hell Is God No, he's alive and in Law School.
wow he lost a lot of weight. I knew there would be a silver lining to the business decision to cease production of Twinkies (at least until next year's board meeting when they caved to the many THREATENED hunger strikes (none of the fatties err fans actually went on a real hunger strike)).
Lilly Anne Serrelio LoL
.
I work as a fork truck technician, and the amount of times I've accidentally went to the wrong warehouse (since a lot of industrial parks have warehouses grouped together and subdivided) and they literally let me walk the facility looking for the particular brand of trucks I service is astounding. I was literally able to pull my service van directly into a facility which processed / stored ammonium nitrate. We're talking about a quantity that would make Timothy McVeigh blush. Coincidentally one of the most secure facilities I've ever been to has been a factory that makes PVC siding for houses. You were not allowed to even come inside without an escort, you had to turn in your electronics before servicing a truck, and your van was thoroughly searched before leaving the property. I understand that in a lot of these places the employees simply want to be helpful, but there are tons of bad actors out there who are looking for exploits, and that's to harm others / commit corporate espionage.
Just a guess: a lot of this might be harder with smaller companies, where people have a better chance of knowing what's going on around them. Where everyone kinda knows eachother, and they don't feel like just a cog.
Nope. Works just as well. Sometimes you need a slightly better back story, but only slightly better. Lol people are people, and unless you train them they won't behave correctly. I should realy say untrain thier bad habits, and train good habits. As a society we have been doing something that has gotten many people killed. That is, don't stigmatize the weirdos, don't make the weirdos feel like they are weird. #1 that's a good way to end up dead, #2 it psychologically makes the somewhat normal looking bad guys, look innocent in our minds. We need to stop treating the abhorrent as normal, and reestablish boundaries.
When I was eighteen, I got a job as a laborer at one of the main Midwest railroad terminals. I soon discovered that my work clothing was disguise enough to let me wander over the entire yard unchallenged. In college, I stuffed the strike plate in the rear door of the field house with toilet paper to keep the latch from engaging, and snuck in to use the weight equipment after hours.
Wow, this dude's fucking hardcore.
I think that your simple statement sums up this man better than anything I could ever think up. LOL Really, what a hardcore dude. He actually gives off the "I'll fuck you up" vibe, which is sooo rare for a "good guy" to have.
EdmondDantesLeComte The best part of it is that unlike a lot of pentesting talks I've seen, he isn't going after obscure angles or doing things that are overly technical. What he's doing has more realistic expectations of being used as a true attack venue.
EdmondDantesLeComte kinda guy that plays bad ass with u, then gets ur ass locked up. Fk guys like this
Birmingham Man Rixstaa ya fuck him for trying to stop people from breaking into places.
+Joichard how hard would it be to start up a hobby of asking companies if they want to test their security and then do something like this with their consent?
This was the hardest intro to a defcon talk I've seen so far lmao
Weird...same thing ahppened to me in a Hxxx Kxxx Police Station when I went to report a theft. I couldn't find that dang bathroom for ages. Found the evidence room, but.
hong kong?
My favourite game is Bingo.
James Mccallum mine is uno
+James Mccallum i just like uno
Why did you come 3 months later to add that?
"Or seven minutes of uncomfortable silence, your choice" this guy kills me
Only if you pay him.
One of my favorite Defcon talks, at least one of the most interesting.
Working in the hotel convention industry for 20+ years, I have learned that if you pretend that you Belong There, you will probably get in. I've done it many times. True story ✌️
Me too
wish this guy had more videos, talks, etc... so good.
My son was into the defcon group. He and his wife and my grandgirls went to Las Vegas quite awhile back. He flies me there to watch the kids while they attended defcon meetings. I asked him at one point if there was a at. Close by. He said yes, but don't use any of them and laughed. He told me to go to one of the big hotels to use them. On the TV in the condo it had stream down on the bottom of screen of how many hacks they were accomplishing. It was a very interesting weekend. Before then I never knew something like Defcon existed.
It's like 3am and I havnt slept in a couple of days but I want to hear more from this guy! He's awesome!
Daud A. x
I think we lost him
you alright Kinzuko?
Ridwan Sunandar why?
I meant Kinzuko since he havent replied since 1 year ago. last i saw him havent had slept for couple of days.
Ridwan Sunandar I meant why would you revive this thread
I actually had a stranger walk up to me in a non-public area at work and ask if he I have the keys for our delivery truck, mumbling something about being a friend of the boss. (While I had a guess that they might be lying around in plain sight just 10 meters from us, I send him to the office and ask there.)
Turned out he really was a friend of the boss, who had offered to sell the truck and told him to come buy and take a look at it. Such things really happen, which makes apparently stupid lies feel actually plausible.
This reminds me of one time when I was at a supermarket and two suits (owners) were right next to me talking about investment (and one employee also 1 meter away) and I absent-mindedly put a pack of gum in my outside jacket pocket in order to hold down some items while I opened a refrigerator section door. Only noticed I had it by the end of the day when I took my jacket to get home (went back and explained to the cashier and paid them). Even if unintentional, somehow I had stolen goods right in front of the owners and they didnt even notice it. I think it was likely because of how natural I did it while holding other stuff, which I guess goes a long way. This guy acts naturally, and that throws people off.
i love how this showcases just how safe and unsafe we all truly are. we could be infiltrated/hacked/poisoned etc... everyday, but we arent... wonder why that is. because not everyone or even the majority of people WANT to attempt to do these things. most just want to exist and be happy and enjoy life as much as possible.
good wolves need to unify and take out the bad wolves lol
This kind of terrorism just isn't what we face these days. We have so many more visible attack vectors, walking into a school or movie theater with an AK-47 because you hate the world, hijacking a plane to kill a bunch of people and instill fear, calling in a bomb threat to get out of your test that day, etc, those vectors are much more visible trying to find an unlocked mechanical room after procuring napalm.
It's the kind of attack that you'd need to be a part of a much larger network. Think IRA during The Troubles in Ireland. They were doing semi coordinated terror attacks on the daily all across the country, you never know where they'll strike next. Small cells using the same tactics to create a much larger group. Sure, you could kill 20 people in a hotel by setting fire and turning off the fire alarms and sprinklers, but that isn't too impactful on its own, you'd need dozens of them across the country to spark true fear by identifying a pattern.
Hotels aren't symbolic targets like sports stadiums or airports, and those targets are generally very well protected. Not perfect, but far better than a hotel.
@@AnonyMous-pi9zm well that target of terrorism is often the point of the attack. Take the towers for example, most want to argue whether.or not jet fuel can melt steel. It can't but that's not the point.
The towers held a lot of physical financial records and the building was old. So ny profited by getting rid of some old buildings and old records.
Rarely are coordinated terrorist attacks just random, usually they are strategic or financial targets.
This guy is good; another one of those people I'm glad is on our side!
A PERFECT EXAMPLE OF WHAT I SAY.....JUST BECAUSE A PERSON IS NICE, DOESN'T MEAN THEIR GOOD!
2018 - We received an e-mail recently telling us not to STORE printouts with confidential information IN TRASH CANS (we all have locking file cabinets and we have a shredder on every floor.)
After someone hammered the lock (from the outside) and broke the panic bar on the outside stairwell door, they replaced the door,,,12 months later. During that time they put a sign on the door telling the employees to make sure the door closed behind them. This door is six feet from the server room door. We are a billion dollar organization, yet it took them a year to fix an external security door....
I always loved re-listening to this Defcon talk. Just myself working as a Technician this hits hard as I've seen many people just get "let in" to areas because they "look like they should be there". This has always urcked me, and when I have a security let me into a badge area, or verify my credentials on the phone before unlocking a door it makes me so happy.
*irked
The problem in security is usually somewhere between the keyboard and the chair. Every time.
PICNIC .... problem in chair, not in computer, hehe
PEBKAC - Problem Exists Between Keyboard And Chair
That's the one I always heard back in my Computer Science schooling days, lol.
Well, yeah. You can't remove that problem, only minimize it.
I worked as an RN, very few hospitals ever offered enough lockers or other secure place to put a purse, or even a set of car keys. Even after having an employee steal, and outsiders come in and take purses, no action was taken, three different hospitals.
"I don't care about an ISO unless it's got linux on it" I cant tell whether that's a compliment to linux or an insult
Everything you have pointed out shows that ultimately we still trust each other to not destroy other peoples sleep or lives, just because you figured out to do it.
27:20 Back at a corporate lawfirm i worked for, their shreading was done out-of-house, they had these locked wheelie bins that anyone could put paper into through it's post-box style slot, they'd get taken away every day/week/month/dunno. Seems secure enough.
But now that i think about it... these locked wheelie bins were put right next to the service elevator doors (ie: deliveries). Any delivery man could walk out with one of those wheelie bins. Whoops
We have a wooden cabinet with a lock and a slot, and a shredding company opens it up and takes away sensitive documents periodically. Except the lock is a bullshit dinky little tubular lock and it doesn't matter anyway because it's *fucking wood* and anyone could rip it apart with a prybar or any kind of leverage at all
@@CB3ROB-CyberBunker Outsourcing coffee making... does the name "starbucks" mean anything to you? :P
@@CB3ROB-CyberBunker do you think buildings are heated by coal or something? You can't just have a shit ton of paper ash accumulate in a natural gas furnace
@@frother any self respecting building should have some sort of autonomous heating system that works without external suppliers, which might as well just destroy the documents and other garbage when not strictly needed for tactical or heating purposes (in summer just direct the waterpipes to radiators on the roof).
the 'nice' bit about central heating is that the waterpipe doesn't care wether it runs only through your oil or gas or electric heaters, or wether there are also some coal/garbage/document burners installed in your basement right next to them on the same pipe and expansion vats.
Although at first glance dated, the info in this presentation is even today still very valuable. And Mr. Jayson can, next to being a very strong speaker/presenter, best be described as a highly versatile, inconspicuous security endboss!
After all these years, this is still my favorite stand up comedy show.
Guy walks into a secured facility bearfooted, wearing pajama bottoms, sporting a mohawk and carrying a 2ltr of soda.......meh, no issues.
Wait, hold on.........is that DIET pepsi??!!
!!ALERT!! !!ALERT!! !!ALERT!!
Jason McMurry not a mohawk, it’s a mullet with the sides shaved.
@@whackyjinak4978 I don't think what distinguishes a mohawk from a mullet is simply whether it's spiked up or not. The native americans certainly didn't spike up their mohawks
The Chad Pad I said nothing about spikes, it’s just not a mohawk.
Lol.great
Fred Flintstone Some kind of new dinosaur maybe?
Remember the kittens
If not for this comment I would forget all the kittens and think this was just some baddy.
That what the bad guy would say.
@@MajkaSrajka y do good girls like bad guys?
A uniform, no matter the uniform is ridiculously powerful, nobody questions it.
I was a Delivery driver for a couple years and I laughed at how easy it would be to get into places. I walked up, said I had an order and the gates would open right up. Then go wherever I want from there. I remember delivering to a hotel once and just walking to the counter and telling them to page them and she just said "Oh she's in room 111". I've walked into employee entrances because I wasn't real sure what else to do other than that and the security guard let me right in. Same with several other companies, with my own chaueffer
Some people refer to it as low hanging fruit.
I refer to it as *the weakest link*
Ever worked for a company and spotted one (or possibly one per hour) of those weakest links? Ever been a visitor to one of those companies? Just how critical is that company? How many people does it employ, ho much per year does it make, how much credit do they have?
Could it be something just a bit more critical? A hospital, key infrastructure, a major government contractor?
If you are seeing it as a non professional, or even a semi-professional... Then imagine who else is seeing it. What would your competition do? Would they ever try to knock your company out from being the competition, or damage you enough to make you want to walk away?
Every company and employer is effected; from just a few employees to the top of the Fortune 500 - and then some. For those anywhere in the Fortune 500 or any publicly traded company...
The worst enemy is one that you cannot see, one that you will never see. Imagine someone just slipping into a company, and then not doing one item of visible dame to it - ever. They just sit back and watch. They will make money just sitting back and watching
@FatherBootyHands The guy in the video? His job is to expose major security flaws in businesses by sneaking in and acting like he belongs, installing his bugs, and stealing stuff, then returning to the guy who hired him and presenting what he got out of it and the many flaws.
As much as I support this person, there's nothing worse than being treated suspicious when you're not. At some point my electronic badge stopped working at the company I work for. I couldn't access restricted areas. I sent a request to get a new badge, which would take a few days. In the mean time I borrowed badges as work just goes on, right? And fuck I was being looked at by everyone. Dude I come here every single day, just let me in. Those days I did find out shortcuts to almost everything so I didn't need to borrow badges as often. Putting a handkerchief between an electronically locked door blocks the lock from engaging XD
Wow it's neat seeing you comment here lol, I subbed to you years ago after listening to some Demetori on your channel!
Watching this remided me of something
I work as a lumper for a small albertsons warehouse branch, sometimes i transfer over to a winco warehouse. The first time i went over there they didnt know i was coming i offered to go for more hours
I drove up to the gate (im a idiot they told me to go to the front for employes..) buuuuut i went to the back because i was lost and really close to being late
right behind a semi truck. the stopper came down, i stoped
the gard just looked at me (i didnt have a vest on, just a black hoodie) and opened the gate. Now they have RFID tags for the lumper team i work for, my card for alberstons doesnt work at winco
So, I waited tell a lumper came out and asked him to let me in. Still, no vest on or anything
i just said i was here to help from the other branch...... It never donged on me that i just got in there without saying my name, or any form of proof...... i just got in...
How do you look like? Hair color skin color? Im Interested because I dont look European (half German/Mexican) and I am interested if this would work for me.
heh, it "donged" on you?
@@Lavarusity sorry it wouldn't work for you as it wouldn't for me either..
40 years ago I worked at a defense contractor who was a USSR's *number one* infiltration target. I recall a security awareness briefing where the security head said (even then) if someone is in our facility and has access to data there is no way to keep them from walking out with it. None. There are simply too many methods that are effective at recording and concealing.
The only solution that is effective is comparmentalization to 'need to know'. Find those things that are truly secret and limit access to them to the smallest group of people possible, and make sure any processing equipment used is not connected to a wide area or unsecured network. Otherwise, it's going to be found and stolen.
This guy would love my boss.
Boss gets an email. Email says it's from someone else in the company. Boss knows this person, and has their number in his cellphone. Email has a file attached, and corporate had warned not to open any attachments from unknown sources. This person had alerted corporate that his computers had been compromised, and don't open emails coming from his email address. Boss doesn't know what to do. He has a meeting coming up, and this person has information he needs. He doesn't call the person on his cellphone to confirm he actually sent the email.... he *replies to the email* asking the sender "is this you? Is it safe to open the email?"
*facepalm*
Everyone can guess what happens next...
The hacker replies "Yes, it's safe to open the file."
So the boss opens the file, and gets infected with malware.
The look I gave him when I heard the story....
THE LOOK I GAVE HIM.....
Imagine looking at someone that does something so *stupid* and you look at them with a bewildered look on your face that can only be described as "How the fuck did you even get this job?!"
r/thathappened
These are the people who make the big bucks. Who get treated for cancer. Whose kids get educated.
I own my own camera and network security company, I have worn many hats, like worked for AT&T/Comcats/Xfinity(Same company, different shirts) and many times, I walked right through metal detectors, with police and security around, because I was there to fix something. All I did was hand them a work order, It was never confirmed and I walked through with my tool bag. This is one instance and I have so many more! I have always stated the same message you are stating, as I am going back to school for Cybersecurity. It is time to fix the basics! Most hackers are attacking our lazy past.
Two truth bombs that will undo every single one of those security measures:
1. Normalcy Bias
2. Nobody's job is worth _dying_ for (intruder draws a pistol on the employee challenging them)
1 yes which is why it's hard and requires constant effort, 2 that sort of thing is easier to get responses to and will quickly get law enforcement involved more than just some corporate espionage/ sabotage that you may not know happened.
The main thing he is discussing is that you don't //need// the gun to get in. Just the right clothes and some decent props and boom, you are in.
He was literally defcon tagged, skull and crossbones, with a clipboard, and he was let into a secure facility.
He didn't need a gun.
He was walking around Malaysia, a hotel, spoke to the manager about cords or wi-fi, in pajamas, and wasn't questioned. At all.
It's not a matter of flashy. It's a matter of complacency.
This explains how organized crime & gangstalking , community mobbing and hackers well . This very interesting and disturbing at the same time ! Nice to know he's an honest criminal though. This video is really educational I needed to see this !
the Kenny Powers of office security
THAT'S WHO HE REMINDS ME OF! Awesome call
Grèg Ëdgé u nailed it brah
Grèg Ëdgé Kenny fuckin Powers
That's fucking hilarious
I wasn't going to watch the whole thing but it's almost IMPOSSIBLE not to watch this train wreck. Well done. EVERY company needs a visit from this guy.
It's 2020 when I found this video. It's still as relevant today as it was in 2012. Great presentation! 👍
I want to work for this Man....his philosophy and motive of operation are exquisitely effective yet simple.
this was the most eye opening video on security and hacking I've ever seen.
This is very similar to an article I read in 2600 years ago.
It was about a guy in an airport causing havoc.
I liked this presentation. Even though it’s old.
4:49 "Its not that I'm that great, it's that our security is that weak" I would think teaching people this lesson is a large portion of why many ethical hackers hack
I work at a company with a lot of sensitive information. This really hit home. Everything is getting locked in my drawer tomorrow. Even my pens.
What I do if I forget my access key to a building is to read an e-mail on my phone. As soon as someone opens the door, I frown while still staring at my phone, as though some work-related emergency just came up and then walk in without making eye contact. This works every time. I never used it to get into places where I'm not allowed, but it's scary to see how easy it is to get into places. People are afraid to get in the way of someone who seems busy with something. God forbid they disrupt someone's important work!
That is one of the best talks I've heard. He did a lot of preparation for that presentation regarding it's content. That was simply awesome.
"People don't expect bad things to happen..."
And then there's me, I don't fucking trust anybody unless i know their name.
Which, even if I've met you before, I will NOT remember your name the first 2 months I know you, yes, my memory is that bad when it comes to names.
Reason: My first internship was at a company I won't name right now, because the name doesn't matter.
They were a manufacturer of installation equipment (think boilers, expansion barrels and the like), emphasis on 'were' for reasons later discussed.
What happened is that they'd been hiring a lot of new people with low level education as of late, in order to help out with machine transport, welding, bolting, etc, as they just finished and opened a new hangar-wing (Don't know the exact english translation, but you get the point.).
A lot of really nice, and really good people, they did a bunch of work that would've taken weeks longer than with just the maintenance personnel originally present.
So... one day we open up shop after a holiday, which is like the one day we'd halt production, and we immediately see the desk PC's missing.
Everyone is just standing around whipping their dicks on a drum saying shit like "Huh, that's weird, i could have sworn it was there yesterday...".
My boss instantly snaps and just sprints upstairs to the offices, and we hear the loudest 'fuck' we've ever heard.
Everything was gone.
I mean everything, server racks were pulled clean, computers were gone, blueprints for products, valuables and other things were taken out of the vault, which was opened as anyone would have, with the fucking combination, no sign of a break in or anything like that.
In the following 10 ish minutes we just roam about the building, and it was hollow, not a cable left in sight.
It wasn't a robbery or a normal raid, they took their time and cleaned the place out.
Those 10 minutes were the last of my internship there.
Luckily someone in the IT department with half a brain had, about 2 years ago, suggested to use security cameras which stored off-site, in case, you know, _someone would take the entire security server rack with them,_ and we had the guys who did it on tape.
The thing is, there are a few people that knew them, the offenders, by their first names, like 6, out of the 70 odd people working there.
Everyone had a different description of what the fuck they were doing at the company, and everyone's reason for trusting them was "Well, i mean, Johnny trusted them, and he's an alright lad, so they seemed fine...".
In the end they went to prison, but the equipment was cloned, sold off, handed out or destroyed.
The damage was done.
Jayson here, in this talk, was absolutely right.
People don't expect anything to go wrong until shit goes wrong.
The company went downhill from that point forward, losing clients because of trust issues, competitors tapping into their designs, production downtime...
They lasted for about 6 years after the raid, and had to close their doors last year.
Is this a worst case scenario?
Abso-fucking-lutely.
But that day taught me a lesson, be it a good or a bad one:
*Never blindly trust anyone, and fucking. ask. questions.*
Sure, you might annoy the people you're questioning, but is that really such a bad thing considering who you _could_ be talking to?
Not my job and not my problem. If being nosy (and thus annoying) gets in the way of getting paid, then clearly the boss actively wants me to not give a shit about thieves.
@@realKenM Money is god. It's healthcare, it's food, it's a roof over my head. Fuck you.
Could you have summarized your book any better?
So if you caught onto this scheme you think the company would have given you a massive bonus? Probably not. As far as I have seen there are absolutely no incentives offered to employees to catch this kind of stuff unless your job is tied to security.
@@MrFunkhauser 6 years later *all* of their jobs were lost, so their jobs were tied to security. It's just a matter of short-term vs long-term thinking.
I work with a defense contractor and EVERYTHING is duplicated to paper. I've noticed some lax security stuff so I am tempted to try and bring some of it up at some point but they're never gonna get away from the paper trails. I'm still new so I don't have much say at all, but some of it seems a little concerning. I haven't dealt with anything super secret but we do see some stuff that we're advised to not really talk about, so better basic security stuff seems like a good idea
Title sounds like an average session in EVE Online. :D
I'd join that fleet in a heartbeat.
Most EVE corps have much better security awareness than the average real life company. Probably mostly because you cannot shoot any unknown guy who approaches your front desk irl.
I think realizing about how vulnerable our security is becomes a proof of how there are very very few bad malicious people in the world. There are so many opportunities to commit selfish harmful acts all the time, everywhere and yet we live in arguably the greatest time in human history.
I should look into getting a job testing security, the number of passcard/code locked ID doors I've walked through over the years....
like 2, right?
Some years ago I went to visit a friend in hospital. I was well dressed that day, wearing white pants and a white short-sleeved shirt and was carrying a clipboard, as I'd just been visiting a nearby architect on business. I found it surprising and amusing that hospital staff automatically assumed I was her doctor (they actually asked if I was)- simply because I looked the part and was carrying a clipboard and a pen.
"Social Engineering" is and old CIA/Psychological term that referred to changing societal thoughts to align how you want.
This term is often used instead of "Phishing emails" or "phishing phone calls" where people pretend to be someone they are not in order to get your personal information.
Social engineering is alive and well in USA but not in the way your being taught today.
My buddy just got sim port hacked, someone almost got all of his money pretending to be him on the phone with his cell phone carrier.
Yeah I can't stand how they use that term now. I think of Operation Mockingbird when I hear Social Engineering. What they're talking about it physical network security.
AS a security professional myself this guy is my best friend and worst enemy!
well now we are on a list for watching this
You are on all kinds of lists for all kinds of things you will never know about.
It is appreciated.
It’s the opposite. Most people are so inconsequential they aren’t on any special lists.
My invisibility cloak is a toolbox and overalls. But the very best is a mop bucket and cleaning gear.
The truth is we rely on honesty and good will.
When it is gone, we are stuffed.
The assumption everyone makes: Every system is secure.
The Truth: No system is secure from a determined attacker.
I really like how he breaks everything down!! Need more like him.. and I know exactly what he means when they let you in. I live in NYC. So I know...
Your mentioning the theft of docs left on printers reminds me of a time that I was able to get incredible revenge on crooked employers who were so arrogant and certain that no one would ever catch them, that they often left damning documents lying on printers or on a desk with a fax machine through which the docs had been sent. The more spectacular doc was from the executive veep of the western division sent to my immediate superior warning her that the revenues for that quarter fell short of her being able to be paid a bonus. He explained to her that corporate would, at the beginning of each calendar year, pre-pay the company participation in all of the benefit programs that long-term employees had signed up for (For example, our medical/dental plan cost $540/month. Employees had $20 deducted from their pay every week--the company prepaid $500 x 12 months into an escrow account for each employee. If the employee signed up for the 401k, the employee contributed 5% and corporate contributed a lump sum of 8% of the employees pay from the previous year--any adjustment of course would be made as needed at the end of the year--and there were other benefit programs, too).If that employee left the company for any reason before the end of the calendar year, the unused portion of the his/her escrow account would be applied to the operation's bottom line for that quarter to help defray the cost of recruiting and training a replacement--and, best of all, it could tilt the revenue picture in favor of the manager in search of a bonus. The veep bragged that he'd fired many an employee when he managed one of the company's publications in Seattle just to make certain he got his bonus. I lifted that email right off of the printer and faxed it to my home from the company fax machine right beside the printer. That document and a host of other equally damning documents including which national advertisers were being overcharged for a fictional product were eventually mailed to the legal dept.of the main corporate office in Iowa--not the western division in Washington state. Within two weeks, the president of the western division--appropriately named "Dick"--his executive veep, whose name was rather similar, and a gaggle of underlings were all terminated, including one based out of our office in the SW US--his job was to figure out why there was so much turnover at our operation. I still smile whenever I remember that..
I smiled just reading it, ya big hero! Me an my coworkers could use your help lol but seriously
@@kennethrussell5604 Keep your eyes and mind open--crooks, especially arrogant crooks who think themselves intellectually superior to their employees are bound to slip up. Good luck!
Still one of the best lectures from defcon. Hands down
"unless you pay me" - lol
MMM KAY CLASS
Went down for this
Poor security is bad. Mmkay?
I knew it
Excellent,Added To My Research Library, Sharing Through TheTRUTH Network...
Anolog is your friend. The pen cap getting past security locks since 1985 😂
Another trick is to ask someone if they can let you out a rear door a quick cigarette. If they don’t smoke, ask them for the code to get back in so you do t disturb them.
This trick I pulled of in a server facility. The guy gave me a fob to get back in. He said ‘take this for now, once your finished hand it back in’. That gave me PLENTY of time to copy it. (Took me 30seconds to copy it onto a device and write it onto the card I had been given) The access card I was given only let me open internal doors and even at that it was only on 2 levels. The card the security guy gave me was an AAA card. So, reprogramming the card I was issued with meant it looked legit. (A lime shade of Green coloured card).
PS; Always pick a security guard that smokes. 😜
I’m at 1/3 and I bet at the end he’ll say “Btw, this is not the time slot that was planned for me at Defcon, it was someone else’s, but I walked confidently on stage and the real presenter is still wondering when was his slot”.
Man does this take me back to my Security days. I dont know how many of the client personel expected to get in without their badges.
as an entrepreneur of an app company I must say I am damn glad this showed up in my watchlist, this was an excellent video!
This dude is basically recounting every time we have ever played Hitman.
Eugene from the walking dead, anyone?
The looks, the voice, the social engineering, the resemblance is uncanny. Perhaps the walking dead writers actually had this guy in mind?
exactly lol
No not really, it's more of a shitty mohawk than a mullet.
Thats a stretch... watch less TV
Begone troll.
As someone who's actually paralyzed, the part where he mentioned "I'm coming in a wheelchair" bothered me… But to be fair to him, I thought the same thing earlier in the presentation, I thought "you know, maybe I could use my actual disability to get paid…". People are so helpful to me because of my disability that OBVIOUSLY the kitten of darkness is going to use that tactic.
Lol, someone reported a sus guy walking around the halls at my workplace to security and they didn't do anything. A week later a whole bunch of computers got stolen haha