**This is an AMA request from This thread.

For work I get to break into hospitals and steal things. It's referred to as a "Physical Penetration Test." It's an integral part of a risk assessment, which is required under 164.308(a)(1) of HIPAA.

I routinely pick locks, steal access badges, impersonate medical personnel, harvest data and credentials, crack passwords, and utilize various social engineering tactics.

My official title is "Information Security Consultant." I have a degree in Information Systems Management, as well as; CCNA, Sec+, and CISA certifications.

Ask Me Anything! (and please bear with me... long time lurker, newbie poster)

EDIT: I'm not going to have much time to answer questions tonight. But I will go live at 8:00am central tomorrow. (Yay! excuse to reddit at work!)

For those of you asking for further proof, (fair enough) Here is a video of how I hacked an improperly installed RFID door lock

Comments: 3623 • Responses: 62  • Date: 

iSanddbox1328 karma

What's your most creative "heist"?

The_MustardTiger1964 karma

Nothing too crazy. The most interesting intrusion I've done was at night. I taped the lock of an emergency exit open during the day. Security failed to secure it during the after hours perimeter check because you have to walk through a garden to get to it. It lead to a stairwell. On the second floor is the executive suit. The company that installed the RFID locks cut corners, to put it bluntly. I was able to manually circumvent the lock and gain entry to the executive offices. I actually have a video of this hack. I will need to sanitize it though, I will post it in the morning.

After bypassing the lock I had access to workstations, login credentials (written on post it notes, a big no-no), facility keys, access badges, and sensitive information. I take pictures of all these things and keep and keys or badges I find.

On occasion I will take a laptop back to my hotel, boot it into Backtrack and harvest info such as the SAM file. Next I install remote access software and a keylogger. Then I return the laptop where I found it.

While I'm in the executive suite, I also have access to their subnet of the network. If security controls are lacking, I can harvest credentials, perform vulnerability scans, as well as access network shares and sensitive info by plugging a Raspberry Pi device with custom software into the network. I usually hide this device and access it remotely later. (note: most clients do not like auditors plugging devices into their network. Vulnerability scans will commonly result in DoS'ing medical printing equipment (label makers, etc) 'Noisy' hacking will generally cause havoc on a hospital network. This is why I try to enforce access control such as port security and 802.1x.

chrisspyBacon542 karma

What's the protocol if you get caught in the act by a regular employee?

The_MustardTiger927 karma

In a perfect world the employee would call the CIO or Security officer and detain me until I can be verified.

mitchij2004420 karma

....but in the real world? stories man.

Cameron_D393 karma

More than likely, nothing.

How likely are you to report someone doing mildly suspicious stuff around your workplace? If he didn't have a badge on him, you might do something, but if he has a nametag (that maybe he took from elsewhere) you're more-than-likely just going to tell yourself that he is doing his job and there is nothing to worry about.

This DEFCON talk is a favourite of mine.

Edit to correct typo.

The_MustardTiger543 karma

Exactly this. Most employees are happy being complacent because it's easier than stopping me to properly verify who I am.

I-heart-naps264 karma

Walk fast and carry a clip board, people just assume you belong there.

The_MustardTiger298 karma

You get it.

THERON_13341 karma


The_MustardTiger620 karma

I went to university for Information Systems Management. I majored in Security. For my senior project I wrote a business plan for a health care MSSP. I used that during my interview with an MSSP and they apparently were impressed. I also learned a lot about HIPAA regulation during the assignment. Something that is rare in the workforce.

RedGreenRG264 karma

I'm curious. Do you hum the theme to mission impossible while you're working? I probably would.

The_MustardTiger685 karma

Nope, but one day I got the Wizard of Oz theme-song stuck in my head... That was a weird day.

iSanddbox189 karma

The raspberry pi part sounds like something out of a movie. Make sure you verify with the mods, by the way, because your main post is removed right now.

The_MustardTiger237 karma

I have. Waiting for reply. Thanks

ricepickle1593 karma

I worked in a photo lab when I was in college. This was back before digital cameras were in wide use. People would take photos at college parties and drop them off for one hour development.

Most of the photos were pretty boring. A group of guys or girls posing, obviously drunk. Beer cans, Solo cups. A couple bongs. And the occasional topless girl or someone puking. Nothing too unexpected.

But there was one guy that came in on a regular basis. His photos were always hardcore pornography. Spread eagle shots, blowjobs, facials. Gaping vaginas and assholes. I fucking loved printing this guy's stuff and put extra effort into getting the color balance and exposure just right. It got so that he'd ask for me every time he dropped film off.

He started showing up to the shop with a girl on his arm. The same one every time. He called her Amber, though I suspect that wasn't her real name. Let's just say that I already knew Amber more intimately than did her gynecologist. Nearly all the photos coming in at this point from this guy were of Amber.

As time went on, the photos got more and more extreme. At first, it was just her getting fucked or spreading her ass open. Pretty soon, a dick shoved down her throat and tears streaming down her face, her heavily-applied mascara smeared in an almost comical fashion. I printed one of these for my own pleasure and added the caption "Harlequin."

Pretty soon, it appeared, my favorite customer got involved in hardcore BDSM. Photos of Amber tied to the floor, helpless. Butt plugs that appeared to increase in size every time he came in. Clothespins on her nipples, down the backs of her arms. She still had bruising from these when I saw her once. She saw me admiring her love marks and gave me an almost demure wink.

Fisting. Double fisting. Gapes so large it looked like she just shit a watermelon. And then started the erotic knife play. Photos of Amber with a knife to her throat, red marks on her skin, then small cuts. Tears still streaming down her face. And every time I'd admire a scar when I saw her in person, she'd smile at me and whisper knowingly to my favorite photographer.

I graduated before I got to see where all this was going. Every time this couple would come in, I'd find myself furiously masturbating in the back room of the photo lab. She ruined me for other women. Sweet, innocent college girls would show me their tits or go down on me. But it was never quite enough. I dreamed of the horrible things I could do to a girl. I dreamed of my own Amber.

To this day, I don't think I'll ever be satisfied that I've found The One until I can reach inside her through her anus and feel her intestines moving her waste rhythmically, romantically, through her body. I don't think I can be happy until I can crawl inside her digestive system and hide from the world.

But isn't that ultimately what we all want? To find someone that we care about so dearly that the rest of the world doesn't matter?

Nenz01645 karma

Wtf did I just read?

Deinos_Mousike1501 karma

It took me until halfway down the story to realize that it wasn't part of the AMA

The_MustardTiger1740 karma

I am so confused.

TheReasonableCamel78 karma

Sorry to piggybank the top comment, OP as necessary all AMA's must have proof. You can message the mods or post it in here. If you can't provide proof then you can go to /r/self.

The_MustardTiger73 karma

Yes sir, can I email a mod from my work email? (which can be verified via our website?)

acsmith931317 karma


The_MustardTiger2399 karma

I wish. God that thing is intriguing. I bet it's full of dick picks drawn in MS Paint.

noodleless1018 karma

You said in the other thread that you got tased once. How did that happen?

The_MustardTiger1817 karma

I was performing after hours assessment at a business center of a hospital. During the day I unlocked a 1st floor window. That night, at about 1:30am I snuck back in through the window. There was a bank next door and the security guard saw me and called the police. Police called hospital security. I was sitting at a workstation that was left unlocked when they entered. An overweight, overzealous security guard pointed the Taser at me. I calmly said I had a reason to be there and reached in my jacket pocket for the business card of the hospital's chief of security. The guard lunged forward with the Taser. It caught me under the forearm that was reaching in my jacket. It clenched so ferociously that I smacked myself in the face and cartwheeled out of the chair I was sitting in. It stung pretty good, but wasn't as bad as I thought it would be, maybe because I flinched so damn hard. He didn't fire the prongs, thank god.

I just started yelling the Chief of Security's name, over and over, until he got the message. CSO was called. He was annoyed even though he was aware the assessment was taking place. Neither party was in any trouble. The guard apologized but kept saying he was just doing his job. Maybe I shouldn't have reached so fast, but I think he was overeager with the taser.

EDIT: I realize now that I failed to understand the guard's perspective at the time. Although I thought the situation was calm, he did not. It was my fault I got tased. I now always ensure that the Chief of Security informs someone that is on duty during a nighttime assessment.

Yogsolhoth2054 karma

I'd rather taze some guy who appears to be burglarizing a hospital, than get shot and killed.

I seem to have awoken the horde... Burglarizing

The_MustardTiger453 karma

I agree. However, the situation was calm enough not to warrant Tasing me, IMO. I should have been more clear about what I was reaching for.

TheEpicTortoise70 karma

Also, how bad did it hurt?

The_MustardTiger216 karma

bad enough, but not as bad as I imagined it would. I think getting shot with the prongs is a different story.

ogenbite786 karma

What happens if you're caught? If you're found out, how do you convince them that you aren't a real thief? Any run-ins with police?

Also, what happens to a hospital if you get away clean?

The_MustardTiger975 karma

I usually just name drop with CIO or security officer, then they call to verify. Only one run in with po-po, explained above. Nothing happens to the hospital when I find breaches. In fact, every hospital I've audited has gotten at least 1 breach. Because I am their security partner I am not obligated to report to OCR. I just advise them on how to improve things.

Random_Illianer254 karma

I've been visiting medical companies the last few months, advising them on securing a portion of their technology. It is absolutely amazing how many simply dont understand or ignore HIPAA rules. I so badly want to say "Buy my shit or I'll call OCR". Do you ever feel this way?

The_MustardTiger408 karma

Every. Damn. Day.

Especially with the new "Willful Neglect" clause. If a breach is considered willful neglect, as many are, there is an instant fine of up to 50K per breach.

... My boss has a real way of striking fear into the heart of CFO's.

Zwergner37 karma

What sort of breaches are considered willful neglect? Examples?

The_MustardTiger51 karma

?There are two types of willful neglect. The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of time. Minimum fine: $10,000 per incident with annual maximum of $1.5 million for repeat violations. Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations The second type of willful neglect is when a company ignores the HIPAA law and does not correct their mistake. Minimum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations. Maximum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations."


DucBlangis420 karma

Pentesters usually have "get out of jail free" cards. Any pentester worth their weight will make sure to have all their legal bases covered with contracts, proofs, etc.

The_MustardTiger577 karma

Exactly. These are usually defined in the "Rules of Engagement" contract.

DanaKaZ548 karma

I think you should write a clause in your "Rules of Engagement" stating: The_MustardTiger must at all times adhere to the rules of "Simon says", this will be the only way to stop The_MustardTiger when first engaged.

The_MustardTiger348 karma

I like you

Mk3supraholic589 karma

have you ever had to perform the duties of the person you were impersonating?

The_MustardTiger1203 karma

Never. It would be unethical and possibly dangerous for me to interfere with patient care.

holyice71609 karma

I think he meant more along the lines of have you ever mopped a hospital floor while you wore a fake mustache?

WowkoWork330 karma

God I hope so. I'm just going to assume he has.

smzayne379 karma

Never. It would be unethical and possibly dangerous for him to interfere with floor care.

The_MustardTiger36 karma

Exactly, hospital floors are extremely ethical. They've seen some shit.

Geaux574 karma

What is the deepest you've had to get into a "character", when you say that you impersonate medical personnel?

The_MustardTiger1099 karma

I impersonate CNA's quite a bit. Just need a pair of scrubs and push around a wheelchair or laundry bin. Occasionally I will grab a lab coat if I'm in a physician office or lounge area. Those guys usually know their coworkers though, so that is risky. Honestly, random IT contractor works the best because it gets me access to systems and restricted areas.

Xproplayer1553 karma

This comment has been overwritten by an open source script to protect this user's privacy.

If you would like to do the same, add the browser extension TamperMonkey for Chrome (or GreaseMonkey for Firefox) and add this open source script.

Then simply click on your username on Reddit, go to the comments tab, and hit the new OVERWRITE button at the top.

The_MustardTiger1010 karma

Exactly this. Blurt a bunch of techno jargon at them... Tell them you need to get on their workstation or it will "break." ...Blank stares and complacency damn near every time.

Muqaddimah550 karma

Do you do your best work while wearing a tactical turtleneck?

The_MustardTiger1193 karma

Only if it's a slightly darker black.

MillzwooT542 karma

How long have you done this? How does a person get a job like this?

The_MustardTiger667 karma

I've only been doing this since May of 2012, when I graduated from university. Get a degree in information systems or the like. Specialize in technical security. If you really want to get into auditing, realize there is more to it than the physical assessment. That's only about 30% of what I do. Get familiar with regulatory compliance. The big ones are PCI-DSS(for banking) and HIPAA(for healthcare). Part of auditing is policy review, which generally sucks. Technical services of an MSSP are rather fun. Google, Event monitoring, Vulnerability scanning, pentesting.

Edit: Also get certifications such as CompTIA Sec+, CISA, CISSP, CCNA Security

CryoftheBanshee59 karma

I definitely would love to know the qualifications for this profession. Is there a training program?

omniVici89 karma


ekzor39 karma

It's not like he gets to keep the spoils

ayedfy77 karma

And I doubt career criminals have to file all the paperwork he does.

The_MustardTiger88 karma

Very accurate.

[deleted]16 karma


The_MustardTiger17 karma

Very accurate post. Our reports are typically over 100 pages. Templates help expedite the process. About 20-30 pages of actual typing is a pretty good estimate.

theodrixx494 karma

(Yay! excuse to reddit at work!)

Are you going to be answering questions with your smartphone while clinging to a ceiling in a ninja outfit?

The_MustardTiger625 karma

Nope. Office day. :(

Documentation of all the fun stuff is a bitch.

D0UBLETH1NK396 karma

Regarding social engineering tactics: is there a line you're not allowed to cross, as far as manipulating staff for information? You have to outright lie to get anywhere, obviously, but I imagine your employer has rules regarding how badly you can play people.

The_MustardTiger620 karma

Honestly not really. I outright lie everyday, though it is not really malicious. Asking nicely and pretending to be a friendly vendor or something usually arouses less suspicion than acting all secret agent like.

Thoraxe478 karma

Have you ever had to manwhore to get info from a horny nurse?

Please say yes...

The_MustardTiger111 karma

Unfortunately no, my tactical turtleneck isn't sexy enough.

aron2295125 karma

Has there every been a time when you just cant get in? I was meeting with a financial adviser and he said call me so I can come down to greet you. Another employee came in and unlocked the door and when i said I had an appointment upstairs he wouldt let me in, even after I showed him the envelope of tax documents.

The_MustardTiger214 karma

Financial institutions are generally more secure, due to the nature of the business. Hospitals are about helping people, security often takes a back seat to patient care.

I've always been able to find at least one breach of patient privacy. I'm not always able to get digital info, due to tech controls like an IPS or comprehensive group policy.

cmccoyx975 karma

I am going to be graduating from nursing school soon and working in a hospital starting in May. What is something that a nurse (low-level, I know) can do that is easy to implement and makes the biggest difference in information security?

The_MustardTiger26 karma

Thank you for the questions.

On a personal level, always lock your workstation. Scold coworkers who do not. Be aware of people in your area. Does someone look lost? Ask them who they are. Be extra vigilant about giving someone access. NEVER EVER EVER share your network credentials or allow someone to use your workstations.

Read the organizations policies, ask questions if you are confused. Ask what to do about specific situations, if there isn't a policy for it, they should make one.

Kelsadar365 karma

Sounds like a very interesting job. Most exciting hospital break in attempt?

The_MustardTiger1033 karma

There are a couple stories above but here is one that got my blood pumping. I was searching a lady's unlocked office for keys and PHI. While I was pocketing the keys and cell phone in her top drawer I hear someone try to open the door. I locked it when I began my search. She began knocking on the door and saying "Hello?!?" I thought about hiding in the bathroom, but that would lead to an awkward conversation if she found me. I just stood there frozen. Eventually she walked away, presumably to have someone unlock her door. I took the keys and bolted down the nearest stairwell.

AARONNL342 karma

Could your job ever result in the death or harm of a patient? (for example, stealing something needed like an access badge from someone and they can't get in to help in a dire situation)

The_MustardTiger477 karma

I suppose hypothetically yes. I always refrain from interfering with patient care, and I would never steal an access badge of critical staff like emergency or ICU. Also, I give badges back to the CIO after I document the findings.

Originalluff264 karma

Do people who get their badges stolen from you get in trouble?

The_MustardTiger341 karma

I try to keep the identity confidential. I will redact any PII in the documentation photos. I prefer to replace the badge if I can, but most often I have to give it back to the CIO.

The hospital isn't trying to throw 1 person under the bus. If it wasn't one individual it will be another. The goal is to get organization wide user training and security awareness.

vault101damner319 karma

How do people not recognize you after repeated break-in attempts?

The_MustardTiger530 karma

I only assess each client annually. Also, we have several auditors.

Wulfay289 karma

At what point do you reveal who you really are? Do you deflect being an imposter the first few times, until you are really really caught/in deep shit? Where is the line?

Is there a safe word or something you use so that they know you are telling the truth this time, and not just someone trying to impersonate a "Information Security Consultant"?

Thanks for the AMA, really interesting!

The_MustardTiger420 karma

The line comes whenever the employee finally decides I'm not who I say I am. generally I will keep pushing the lie until they call me out and go above me to verify.

PragmaticApe132 karma

Would the person who caught you get a special mention in your report? Or vice versa would someone who should have found you out get mentioned as not doing their job properly? Has anyone ever been fired for essentially not asking you for proof?

The_MustardTiger15 karma

No one ever gets mentioned personally, one way or the other. I will make note of the department, sometimes drop a hint if it is a special mention. For instance, "The receptionist at the Addiction Recovery Center denied the assessor access and verified identity with information services, in accordance with policy."

RemCogito18 karma

I work IT in a hospital and i don't even know who i would call to verify. I can't just call someone from the security team because they don't keep their numbers in the global address book and the big exec's are in another city (provincial heath provider) and the global address book doesn't have their numbers on file either. The best i think I could do is submit a critical ticket with my phone number and hope that someone who knew would pick up the province wide page. But if you already had access to the ticketing system you could have a second person call me and you could get away. Because it paged critical about a week later there would be a huge meeting to determine if the critical incident was handled correctly but you could be out of the country already.

Ps: hospitals have terrible security. I normally keep my badge in my pocket because i find it amusing tracking how long it has been since i was last asked for ID. Currently it has been just over a month. Usually the only time I get asked is when I can't get a hold of the client and I need security to open a door for me.

The_MustardTiger36 karma

This is fairly common. Under 164.308(a)(6)(i) of HIPAA, your organization is required to have a "Security Incident Procedures" policy, that dictates what to do in these situations. Many organizations have not adopted such policies yet.

Approach your compliance officer and ask this question. Cite the regulation number for added affect. This may get the ball rolling.

ConeFails230 karma

Your first successful lock pick.

Please describe it.

  1. Tools used

  2. what type of lock

  3. time required

  4. times failed

  5. the step you took after your success.

The_MustardTiger326 karma

  1. 5 pin Bump key
  2. Dont remember model, pretty standard lock you see on office doors.
  3. 30 seconds
  4. 4 or 5 "bumps" to catch the cylinder.
  5. turned the bump key in the latch and opened the door.

(Clients prefer not to use conventional lockpicking tools as they can damage the locks.)

I have a cool hack I found of a improperly installed RFID lock. I took a video but I have to remove any personal info. I will post tomorrow.

The_MustardTiger83 karma

I used a bump key on a standard office type lock. Took about 4 - 6 bumps to catch the cylinder. After that I turned the key and opened the door.

wootfish193 karma

Was this the job you had in mind while you were getting your degree? And if not, how did it come up?

The_MustardTiger308 karma

Not so much the physical side of things. I wanted to be a technical pentester, basically an ethical hacker. When I realized the enormous challenge of mastering such a skill, I decided to broaden my knowledge base and go for the consulting jobs rather than engineering. I have some basic hacking skills and lots of experience with vulnerability management tools. Honestly, unless you are the top 5% of hackers, there is more money in compliance and security management.

kanyewest2013138 karma


Beersaround249 karma


Babyskin_Wallet243 karma

Try "guest"

The_MustardTiger386 karma


The_MustardTiger351 karma

EDIT: either this or 'admin' 'tech' or 'nurse'

IrregardingGrammar29 karma

He answers most of this in the other thread:

Yes Sir, most of these companies fall into the category of Managed Security Solutions Provider, or MSSP.[1] They usually provide other services such as policy review, vulnerability assessment (technical and physical), event monitoring, incident response and disaster recovery. The firm I work for deals specifically with hospitals. Due to HIPAA[2] and HITECH[3] regulations, Covered Entities[4] are required to have comprehensive assessments that include the physical PenTest I described.

And I'm pretty sure these companies don't really exist as covert ops, but as far as being covert only a small fraction of the management would know what is going on so that the test can be as legit as possible.

Edit: He also says in the other thread that only the chief of security and C-level managers (whatever that means) know he is there, so a handful of people tops.

The_MustardTiger16 karma

This is correct. Chief of Security and executive staff usually know. (CEO, CFO, CIO)

we_are_babcock95 karma

Based on your observations, what precautions should patients take to protect themselves?

The_MustardTiger139 karma

Ensure medical staff do not pull up your PHI on a monitor, then walk away without locking it.... Leaving charts in public areas, etc. It's hard for a patient to protect themselves, most breaches occur without the patient's knowledge. PHI commonly gets leaked through email, lost thumb drives, break-ins, careless shredding policies...

thetruefrozn92 karma

Have you ever gotten attacked by someone that thought you were actually stealing?

The_MustardTiger159 karma

Not attacked. Mistakenly Tased by overeager security guard. (Explained above)

bluesmood86 karma

What does your family think of your job?

The_MustardTiger116 karma

It's pretty normal really. I travel a lot, and usually have fun stories. They think it's interesting, but not too out of the ordinary, really.

EDIT: Terrible Engrish. I'm not even going to change it.

narwhal1383 karma

What other types of buildings require security checks of this nature? Are their companies that break in to museums, banks, restaurants, hotels, etc?

The_MustardTiger133 karma

I know financial institutions must adhere to PCI-DSS compliance, which includes pentests. My understanding is they are more concerned with technical security, as physical security is more inherent in a financial institution.

Keyburrito52 karma

What do you get paid?

Have you ever had to seduce someone to complete a heist?

The_MustardTiger113 karma

Unfortunately I have not had to seduce anyone. :( I casually flirt with nurses sometimes. Though that is mostly just to ease suspicion.

w1ndwak3r48 karma

How does your job compare to the commonly seen "heists" in the movies?

narwhal1355 karma

All I can picture is the Oceans 11 movie, but in a hospital.

The_MustardTiger361 karma

I'm not as handsome

NYKevin43 karma

How often do you do this? Do you do other things as well?

The_MustardTiger76 karma

I do 2-3 assessments a month. Physical is only one of three parts of an assessment. Technical review/ vulnerability assessment, and policy review are the others. Policy can be very tedious, but that's where the money is.

sentenseifrel21 karma

ITT No replies from the OP!

Govnar08 karma

Read his edit

faapstad4 karma

There is no edit. It was removed. What did he say?

The_MustardTiger10 karma

oh no! I provided proof. Waiting for response now. I have to work in the morning so I will resume answering questions at 8:00am central. Thanks!

Weeperblast18 karma

My friend stole a child-sized iron lung. What's the heaviest or most difficult thing you've stolen?

The_MustardTiger23 karma

Now this needs an AMA.

A rack server was the heaviest thing I've ever taken. It was on the way to be decommissioned and was left in an unsecured area.

Dan_Ashcroft5 karma

Why did you post an AMA if you don't have time to answer questions?

The_MustardTiger10 karma

Because I'm a newbie. I read the instructions and assumed you could set a go live time? I did something wrong I guess.

NathanJMc5 karma

Why removed? ...

The_MustardTiger20 karma

Because I was playing starcraft instead of sending proof. MY BAD!

TheEpicTortoise2 karma

So do they grade the hospitals based on how well you do in stealing or something? How does your job affect the hospitals that you break into? Do you inform any of the people that run the hospital or do you just go in there?

The_MustardTiger2 karma

partly, the physical assessment is one of 3 scores. Administrative and technical are the others. The hospital themselves hires the firm I work for. I am not obligated to report any findings. The hospital can do as much or as little remediation as they choose, though they risk getting fined for a breach. Because they've had a risk assessment, this falls into the category of Willful Neglect, making the fines much larger.

BeartrapSandwich2 karma

Scumbag OP does an AMA, answers no questions.

Edit: Nevermind!

The_MustardTiger2 karma

scumbag indeed. I did post an edit saying I need sleep and will answer in the am. I did do my best to answer a few before bed. Happy reading.