Hello and welcome to episode 23 of the Sudo Social Club. I’m Edward Miro and in this week’s episode I’m going to present a talk I wrote called: “Don’t Trust The Tech: Clipboards And The Art Of Intrusion”
The Sudo Social Club is a podcast and YouTube channel centered around cyber security awareness, IT security training, hacking capture the flags, wargames, and crypto challenges. Check us out at www.sudosocialclub.com where there are links to the YouTube video, audio only and a feed of all my past episodes for you to use anytime you need it. If anyone has any feedback or recommendations on how I can improve the channel please leave a comment or email me at firstname.lastname@example.org. Thanks for tuning in, now let’s begin:
Originally I wrote and submitted this talk to BSidesSF 2020 and it wasn’t selected, so I thought it would make a perfect episode of the Sudo Social Club. I’m also going to post the text also on www.sudosocialclub.com if you want to reference or share it.
Here we go:
I don’t think I need to state this for the record, but I’m going to anyways because integrity is really important to me. As a security professional, ethics are huge. I would never take advantage of any of the situations I’m about to describe, hurt my clients or damage the trust I have in this field.
As an educator, I stress never straying into the dark side of security and crossing those lines. It’s a bad career move if you want to be in the cyber security world to catch a charge. This last DEF CON I remember people tweeting desperately looking for companies okay with hiring people with records. It’s not great to get arrested. You might have amazing skills, but companies can’t insure or bond someone with a felony conviction. I’m not judging and I do know some black hats. Some of these people are geniuses and know more about hacking than I ever will. I just always chose to remain a white hat and that’s worked out for me and that’s what I recommend.
Don’t try any of what I’m going to communicate in this episode unless you were hired to do so and have the correct authorization. Like Bosnianbill always says: “Stay Safe, Stay Legal”.
Anyways, on to the episode:
If you know me in real life or follow my social media, you’ll know that I recently made the transition to education and I’ll be teaching my first class this semester at our local community college. For the past 20 years however I’ve worked the full spectrum of IT and tech jobs. From massive corporations to mom and pop repair shops and everything in between.
When I started this channel last year I was at that point self employed, working as a freelance IT tech and independent security consultant. If you’ve never tried any of the online IT gig marketplaces it generally consists of MSPs sending you work orders, that were sent to them by other MSPs, whose client is usually a major corporation. You do a lot of retail/corporate/govt and every once in a while you get a home user.
When I started, I assumed that most companies would check my ID before letting me in their server room or other sensitive areas. I mean, obviously right? I couldn’t have been more wrong. Banks, medical practices, and even government facilities have all given me free reign as long as I had a bag of tools or a clipboard.
And I know there’s a bunch of videos out there with mad lads proving this exact point with a high vis vest or a ladder. It’s not a new concept, but I think what really struck me was the scale of the problem. It’s easy to watch videos and just assume they’re only showing you the wins and you assume a lot of places it’s not gonna work. They’re fun videos, but it’s not reality. Sure it can work, but it’s not going to work most of the time, right? Wrong.
Anyways. As a new independent contractor I was in my normal fashion overprepared. I printed out all my work orders. I printed out any notes or instructions and ALWAYS made sure I have my printable ID that the platforms always assure you will be required onsite by the clients. It was maybe a week into it that I noticed nobody was asking me for it. Interesting.
I did work orders for over a year before anyone even asked to see the work order, let alone the ID. By this point in my journey I stopped wasting ink and printing out a bunch of stuff that’s not going to be needed and have to be shredded at the end of the day.
The first person to ask me to see the work order was the manager of a Verizon store and of course I didn’t have it, but I was able to pull one up on my phone. He didn’t really look at it, but it was good enough.
Just off the top of my head, here are some of the places I’ve been granted what I consider unauthorized access:
Server rooms - most of the places I was contracted to do work had me in their server room or networking closet. Which is kinda scary when many of the places I was working were medical facilities, banks, and government offices.
Speaking of banks, one time I was escorted upstairs to the second floor of a local bank by a manager and left alone for almost 20 minutes. Nobody worked up there, ZERO cameras, but I did wander around and found an unlocked drawer with a ring of keys and a notepad with passwords handwritten on it. Yikes.
And remember nobody checked my ID, or that I even had a work order. I walk in and say “Hi I’m the IT guy”, then they point the way. Half the time I never even said my name. Another bank I worked at kept their shred bins in the server room, and they were the ones with openings big enough to pull paperwork back out again and they were of course overflowing with sensitive documents.
“Okay. Cool story bro, what’s the point?” I’m glad you asked.
We all have specialties and very few of us in the information security world are experts at everything. I went to a conference for IT/CS educators recently in San Jose and it’s the same at that level of expertise too. 90% of them has a specialty and very few of them can do it all. I also met a man that has over 60 certs, so they are out there. But they’re rare.
I emphasize this for 2 reasons. First being I want to try to help any of my listeners who are fighting their imposter syndrome and thinking they aren’t good enough because they don’t know it all. Nobody else knows it all. We all Google everything. You’re smart enough.
Secondly, it’s because I’m in that boat too. I’m not a great programmer and am still trying to teach myself Python. My strengths are in social engineering, physical security and OSINT. Which is cool. Not a lot of full stack engineers are skilled in these areas so it all balances out. It’s why they call it red TEAMING.
Naturally being my strengths, these are areas I focus on, and topics I’ve spoken on before at DEF CON and our local Norcon. I also, as you would expect, see these as some of the most important areas you can focus on if you want to keep your organization safe.
Hear me out:
I was ASB president during my time as a student in college and have been to a lot of leadership conferences. I really like self-improvement books and podcasts about personal development, entrepreneurship, etc. There’s this concept you hear a lot called the Pareto principle, also commonly known as the 80/20 rule. Quoting Wikipedia the 80/20 rule: “states that, for many events, roughly 80% of the effects come from 20% of the causes”.
I think I’m right that this completely aligns with almost all the major hacks and breeches we’ve had throughout the history of hacks. I have a hard time finding a really good metric on this, but from my research at least 90% of them were initiated through a social engineering or physical security vector. I could be wrong, feel free to dispute that. It’s very high nonetheless. Which is funny because even the class I’m teaching this semester to prepare the students to get their Security+ cert, has very little(in my opinion) about social engineering or physical security. Tke for example Kevin Mitnick. One of the world’s most famous hackers and his early career was very non technical. One of the first things he says in his book Ghost In The Wires: My Adventures as the World’s Most Wanted Hacker, and I’m paraphrasing here, “I don’t need to hack your network, if I can be physically in front of your computer”.
From my perspective we’re teaching INFOSEC pros to focus 80% of their learning on something that will only stop 20% of the attacks. Imagine if we focused more on end user social engineering awareness training and implemented good physical security controls and protocols.
And I know I’m not the only one beating this drum and many of my idols in this field like Chris Hadnagy and Deviant Ollam have been instrumental in forming my worldview on this. Social engineering and physical security skills can feel like a super power. That feeling when you realize most locks can be picked by amateurs and are just the illusion of security and merely exist as honesty enforcers is deep and terrifying. When you realize that wearing a polo shirt and carrying a clipboard can literally get you into most places, mind blowing.
And to be clear I’m not saying we shouldn’t focus on network security, firewalls, anti malware software. All the things. We need it all. But for the most part you’re only stopping the script kiddies or people looking for the low hanging fruit. If your user tells me their password I don’t have to hack your network. If they let me in the server room, skies the limit.
Obviously you need to decide what makes the most sense for your organization and if there’s anything I want you to take away from this is to at least start allocating more resources in the areas of physical security or social engineering. Hire pen testers to break in and help you harden those outer rings of defense. Hire an SE company to run a phishing campaign on your people. And tell your people that it’s going to be happening. Train them on what to look out for, and what to do. Gamify it and don’t punish them.
My last point in regards to user awareness training is to stop spreading the sentiment that only idiots will click a phishing email or fall for social engineering. You’re wrong and unless you’re not a human, you are also vulnerable. Whether you choose to acknowledge that or not.
Nobody is going to disclose an incident if they’re afraid of getting fired or shamed.
You’re getting attacked and probably don’t even know it.
If you like this week’s episode and want to help support this channel please subscribe to the podcast through whatever podcatcher you found me through and please subscribe to the YouTube channel. Links to everything on www.sudosocialclub.com, and if you want to help the channel grow please share on your social media. Once again I’m Edward Miro and you can contact me at email@example.com with any comments, questions, corrections or feedback including ideas for future episodes. Thanks for checking out the Sudo Social Club. Have a great week!