I break into hospitals and steal things for a living. Ask me Anything!

What's your most creative "heist"?

Nothing too crazy. The most interesting intrusion I've done was at night. I taped the lock of an emergency exit open during the day. Security failed to secure it during the after hours perimeter check because you have to walk through a garden to get to it. It lead to a stairwell. On the second floor is the executive suit. The company that installed the RFID locks cut corners, to put it bluntly. I was able to manually circumvent the lock and gain entry to the executive offices. I actually have a video of this hack. I will need to sanitize it though, I will post it in the morning.

After bypassing the lock I had access to workstations, login credentials (written on post it notes, a big no-no), facility keys, access badges, and sensitive information. I take pictures of all these things and keep and keys or badges I find.

On occasion I will take a laptop back to my hotel, boot it into Backtrack and harvest info such as the SAM file. Next I install remote access software and a keylogger. Then I return the laptop where I found it.

While I'm in the executive suite, I also have access to their subnet of the network. If security controls are lacking, I can harvest credentials, perform vulnerability scans, as well as access network shares and sensitive info by plugging a Raspberry Pi device with custom software into the network. I usually hide this device and access it remotely later. (note: most clients do not like auditors plugging devices into their network. Vulnerability scans will commonly result in DoS'ing medical printing equipment (label makers, etc) 'Noisy' hacking will generally cause havoc on a hospital network. This is why I try to enforce access control such as port security and 802.1x.

What's the protocol if you get caught in the act by a regular employee?

In a perfect world the employee would call the CIO or Security officer and detain me until I can be verified.

....but in the real world? stories man.

More than likely, nothing.

How likely are you to report someone doing mildly suspicious stuff around your workplace? If he didn't have a badge on him, you might do something, but if he has a nametag (that maybe he took from elsewhere) you're more-than-likely just going to tell yourself that he is doing his job and there is nothing to worry about.

This DEFCON talk is a favourite of mine.

Edit to correct typo.

Exactly this. Most employees are happy being complacent because it's easier than stopping me to properly verify who I am.

Walk fast and carry a clip board, people just assume you belong there.

You get it.

[deleted]

I went to university for Information Systems Management. I majored in Security. For my senior project I wrote a business plan for a health care MSSP. I used that during my interview with an MSSP and they apparently were impressed. I also learned a lot about HIPAA regulation during the assignment. Something that is rare in the workforce.

I'm curious. Do you hum the theme to mission impossible while you're working? I probably would.

Nope, but one day I got the Wizard of Oz theme-song stuck in my head... That was a weird day.

The raspberry pi part sounds like something out of a movie. Make sure you verify with the mods, by the way, because your main post is removed right now.

I have. Waiting for reply. Thanks

I worked in a photo lab when I was in college. This was back before digital cameras were in wide use. People would take photos at college parties and drop them off for one hour development.

Most of the photos were pretty boring. A group of guys or girls posing, obviously drunk. Beer cans, Solo cups. A couple bongs. And the occasional topless girl or someone puking. Nothing too unexpected.

But there was one guy that came in on a regular basis. His photos were always hardcore pornography. Spread eagle shots, blowjobs, facials. Gaping vaginas and assholes. I fucking loved printing this guy's stuff and put extra effort into getting the color balance and exposure just right. It got so that he'd ask for me every time he dropped film off.

He started showing up to the shop with a girl on his arm. The same one every time. He called her Amber, though I suspect that wasn't her real name. Let's just say that I already knew Amber more intimately than did her gynecologist. Nearly all the photos coming in at this point from this guy were of Amber.

As time went on, the photos got more and more extreme. At first, it was just her getting fucked or spreading her ass open. Pretty soon, a dick shoved down her throat and tears streaming down her face, her heavily-applied mascara smeared in an almost comical fashion. I printed one of these for my own pleasure and added the caption "Harlequin."

Pretty soon, it appeared, my favorite customer got involved in hardcore BDSM. Photos of Amber tied to the floor, helpless. Butt plugs that appeared to increase in size every time he came in. Clothespins on her nipples, down the backs of her arms. She still had bruising from these when I saw her once. She saw me admiring her love marks and gave me an almost demure wink.

Fisting. Double fisting. Gapes so large it looked like she just shit a watermelon. And then started the erotic knife play. Photos of Amber with a knife to her throat, red marks on her skin, then small cuts. Tears still streaming down her face. And every time I'd admire a scar when I saw her in person, she'd smile at me and whisper knowingly to my favorite photographer.

I graduated before I got to see where all this was going. Every time this couple would come in, I'd find myself furiously masturbating in the back room of the photo lab. She ruined me for other women. Sweet, innocent college girls would show me their tits or go down on me. But it was never quite enough. I dreamed of the horrible things I could do to a girl. I dreamed of my own Amber.

To this day, I don't think I'll ever be satisfied that I've found The One until I can reach inside her through her anus and feel her intestines moving her waste rhythmically, romantically, through her body. I don't think I can be happy until I can crawl inside her digestive system and hide from the world.

But isn't that ultimately what we all want? To find someone that we care about so dearly that the rest of the world doesn't matter?

Wtf did I just read?

It took me until halfway down the story to realize that it wasn't part of the AMA

I am so confused.

Sorry to piggybank the top comment, OP as necessary all AMA's must have proof. You can message the mods or post it in here. If you can't provide proof then you can go to /r/self.

Yes sir, can I email a mod from my work email? (which can be verified via our website?)

CAN YOU BREAK INTO THE SAFE?!

I wish. God that thing is intriguing. I bet it's full of dick picks drawn in MS Paint.

You said in the other thread that you got tased once. How did that happen?

I was performing after hours assessment at a business center of a hospital. During the day I unlocked a 1st floor window. That night, at about 1:30am I snuck back in through the window. There was a bank next door and the security guard saw me and called the police. Police called hospital security. I was sitting at a workstation that was left unlocked when they entered. An overweight, overzealous security guard pointed the Taser at me. I calmly said I had a reason to be there and reached in my jacket pocket for the business card of the hospital's chief of security. The guard lunged forward with the Taser. It caught me under the forearm that was reaching in my jacket. It clenched so ferociously that I smacked myself in the face and cartwheeled out of the chair I was sitting in. It stung pretty good, but wasn't as bad as I thought it would be, maybe because I flinched so damn hard. He didn't fire the prongs, thank god.

I just started yelling the Chief of Security's name, over and over, until he got the message. CSO was called. He was annoyed even though he was aware the assessment was taking place. Neither party was in any trouble. The guard apologized but kept saying he was just doing his job. Maybe I shouldn't have reached so fast, but I think he was overeager with the taser.

EDIT: I realize now that I failed to understand the guard's perspective at the time. Although I thought the situation was calm, he did not. It was my fault I got tased. I now always ensure that the Chief of Security informs someone that is on duty during a nighttime assessment.

I'd rather taze some guy who appears to be burglarizing a hospital, than get shot and killed.

I seem to have awoken the horde... ^Burglarizing

I agree. However, the situation was calm enough not to warrant Tasing me, IMO. I should have been more clear about what I was reaching for.

Also, how bad did it hurt?

bad enough, but not as bad as I imagined it would. I think getting shot with the prongs is a different story.

What happens if you're caught? If you're found out, how do you convince them that you aren't a real thief? Any run-ins with police?

Also, what happens to a hospital if you get away clean?

I usually just name drop with CIO or security officer, then they call to verify. Only one run in with po-po, explained above. Nothing happens to the hospital when I find breaches. In fact, every hospital I've audited has gotten at least 1 breach. Because I am their security partner I am not obligated to report to OCR. I just advise them on how to improve things.

I've been visiting medical companies the last few months, advising them on securing a portion of their technology. It is absolutely amazing how many simply dont understand or ignore HIPAA rules. I so badly want to say "Buy my shit or I'll call OCR". Do you ever feel this way?

Every. Damn. Day.

Especially with the new "Willful Neglect" clause. If a breach is considered willful neglect, as many are, there is an instant fine of up to 50K per breach.

... My boss has a real way of striking fear into the heart of CFO's.

What sort of breaches are considered willful neglect? Examples?

?There are two types of willful neglect. The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of time. Minimum fine: $10,000 per incident with annual maximum of $1.5 million for repeat violations. Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations The second type of willful neglect is when a company ignores the HIPAA law and does not correct their mistake. Minimum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations. Maximum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations."

Source

Pentesters usually have "get out of jail free" cards. Any pentester worth their weight will make sure to have all their legal bases covered with contracts, proofs, etc.

Exactly. These are usually defined in the "Rules of Engagement" contract.

I think you should write a clause in your "Rules of Engagement" stating: The_MustardTiger must at all times adhere to the rules of "Simon says", this will be the only way to stop The_MustardTiger when first engaged.

I like you

have you ever had to perform the duties of the person you were impersonating?

Never. It would be unethical and possibly dangerous for me to interfere with patient care.

I think he meant more along the lines of have you ever mopped a hospital floor while you wore a fake mustache?

God I hope so. I'm just going to assume he has.

Never. It would be unethical and possibly dangerous for him to interfere with floor care.

Exactly, hospital floors are extremely ethical. They've seen some shit.

What is the deepest you've had to get into a "character", when you say that you impersonate medical personnel?

I impersonate CNA's quite a bit. Just need a pair of scrubs and push around a wheelchair or laundry bin. Occasionally I will grab a lab coat if I'm in a physician office or lounge area. Those guys usually know their coworkers though, so that is risky. Honestly, random IT contractor works the best because it gets me access to systems and restricted areas.

This comment has been overwritten by an open source script to protect this user's privacy.

If you would like to do the same, add the browser extension TamperMonkey for Chrome (or GreaseMonkey for Firefox) and add this open source script.

Then simply click on your username on Reddit, go to the comments tab, and hit the new OVERWRITE button at the top.

Exactly this. Blurt a bunch of techno jargon at them... Tell them you need to get on their workstation or it will "break." ...Blank stares and complacency damn near every time.

Do you do your best work while wearing a tactical turtleneck?

Only if it's a slightly darker black.

How long have you done this? How does a person get a job like this?

I've only been doing this since May of 2012, when I graduated from university. Get a degree in information systems or the like. Specialize in technical security. If you really want to get into auditing, realize there is more to it than the physical assessment. That's only about 30% of what I do. Get familiar with regulatory compliance. The big ones are PCI-DSS(for banking) and HIPAA(for healthcare). Part of auditing is policy review, which generally sucks. Technical services of an MSSP are rather fun. Google, Event monitoring, Vulnerability scanning, pentesting.

Edit: Also get certifications such as CompTIA Sec+, CISA, CISSP, CCNA Security

I definitely would love to know the qualifications for this profession. Is there a training program?

[deleted]

It's not like he gets to keep the spoils

And I doubt career criminals have to file all the paperwork he does.

Very accurate.

[deleted]

Very accurate post. Our reports are typically over 100 pages. Templates help expedite the process. About 20-30 pages of actual typing is a pretty good estimate.

(Yay! excuse to reddit at work!)

Are you going to be answering questions with your smartphone while clinging to a ceiling in a ninja outfit?

Nope. Office day. :(

Documentation of all the fun stuff is a bitch.

Regarding social engineering tactics: is there a line you're not allowed to cross, as far as manipulating staff for information? You have to outright lie to get anywhere, obviously, but I imagine your employer has rules regarding how badly you can play people.

Honestly not really. I outright lie everyday, though it is not really malicious. Asking nicely and pretending to be a friendly vendor or something usually arouses less suspicion than acting all secret agent like.

Have you ever had to manwhore to get info from a horny nurse?

Please say yes...

Unfortunately no, my tactical turtleneck isn't sexy enough.

Has there every been a time when you just cant get in? I was meeting with a financial adviser and he said call me so I can come down to greet you. Another employee came in and unlocked the door and when i said I had an appointment upstairs he wouldt let me in, even after I showed him the envelope of tax documents.

Financial institutions are generally more secure, due to the nature of the business. Hospitals are about helping people, security often takes a back seat to patient care.

I've always been able to find at least one breach of patient privacy. I'm not always able to get digital info, due to tech controls like an IPS or comprehensive group policy.

I am going to be graduating from nursing school soon and working in a hospital starting in May. What is something that a nurse (low-level, I know) can do that is easy to implement and makes the biggest difference in information security?

Thank you for the questions.

On a personal level, always lock your workstation. Scold coworkers who do not. Be aware of people in your area. Does someone look lost? Ask them who they are. Be extra vigilant about giving someone access. NEVER EVER EVER share your network credentials or allow someone to use your workstations.

Read the organizations policies, ask questions if you are confused. Ask what to do about specific situations, if there isn't a policy for it, they should make one.

Sounds like a very interesting job. Most exciting hospital break in attempt?

There are a couple stories above but here is one that got my blood pumping. I was searching a lady's unlocked office for keys and PHI. While I was pocketing the keys and cell phone in her top drawer I hear someone try to open the door. I locked it when I began my search. She began knocking on the door and saying "Hello?!?" I thought about hiding in the bathroom, but that would lead to an awkward conversation if she found me. I just stood there frozen. Eventually she walked away, presumably to have someone unlock her door. I took the keys and bolted down the nearest stairwell.

Could your job ever result in the death or harm of a patient? (for example, stealing something needed like an access badge from someone and they can't get in to help in a dire situation)

I suppose hypothetically yes. I always refrain from interfering with patient care, and I would never steal an access badge of critical staff like emergency or ICU. Also, I give badges back to the CIO after I document the findings.

Do people who get their badges stolen from you get in trouble?

I try to keep the identity confidential. I will redact any PII in the documentation photos. I prefer to replace the badge if I can, but most often I have to give it back to the CIO.

The hospital isn't trying to throw 1 person under the bus. If it wasn't one individual it will be another. The goal is to get organization wide user training and security awareness.

How do people not recognize you after repeated break-in attempts?

I only assess each client annually. Also, we have several auditors.

At what point do you reveal who you really are? Do you deflect being an imposter the first few times, until you are really really caught/in deep shit? Where is the line?

Is there a safe word or something you use so that they know you are telling the truth this time, and not just someone trying to impersonate a "Information Security Consultant"?

Thanks for the AMA, really interesting!

The line comes whenever the employee finally decides I'm not who I say I am. generally I will keep pushing the lie until they call me out and go above me to verify.

Would the person who caught you get a special mention in your report? Or vice versa would someone who should have found you out get mentioned as not doing their job properly? Has anyone ever been fired for essentially not asking you for proof?

No one ever gets mentioned personally, one way or the other. I will make note of the department, sometimes drop a hint if it is a special mention. For instance, "The receptionist at the Addiction Recovery Center denied the assessor access and verified identity with information services, in accordance with policy."

I work IT in a hospital and i don't even know who i would call to verify. I can't just call someone from the security team because they don't keep their numbers in the global address book and the big exec's are in another city (provincial heath provider) and the global address book doesn't have their numbers on file either. The best i think I could do is submit a critical ticket with my phone number and hope that someone who knew would pick up the province wide page. But if you already had access to the ticketing system you could have a second person call me and you could get away. Because it paged critical about a week later there would be a huge meeting to determine if the critical incident was handled correctly but you could be out of the country already.

Ps: hospitals have terrible security. I normally keep my badge in my pocket because i find it amusing tracking how long it has been since i was last asked for ID. Currently it has been just over a month. Usually the only time I get asked is when I can't get a hold of the client and I need security to open a door for me.

This is fairly common. Under 164.308(a)(6)(i) of HIPAA, your organization is required to have a "Security Incident Procedures" policy, that dictates what to do in these situations. Many organizations have not adopted such policies yet.

Approach your compliance officer and ask this question. Cite the regulation number for added affect. This may get the ball rolling.

Your first successful lock pick.

Please describe it.

1. Tools used

2. what type of lock

3. time required

4. times failed

5. the step you took after your success.

1. 5 pin Bump key
2. Dont remember model, pretty standard lock you see on office doors.
3. 30 seconds
4. 4 or 5 "bumps" to catch the cylinder.
5. turned the bump key in the latch and opened the door.

(Clients prefer not to use conventional lockpicking tools as they can damage the locks.)

I have a cool hack I found of a improperly installed RFID lock. I took a video but I have to remove any personal info. I will post tomorrow.

I used a bump key on a standard office type lock. Took about 4 - 6 bumps to catch the cylinder. After that I turned the key and opened the door.

Was this the job you had in mind while you were getting your degree? And if not, how did it come up?

Not so much the physical side of things. I wanted to be a technical pentester, basically an ethical hacker. When I realized the enormous challenge of mastering such a skill, I decided to broaden my knowledge base and go for the consulting jobs rather than engineering. I have some basic hacking skills and lots of experience with vulnerability management tools. Honestly, unless you are the top 5% of hackers, there is more money in compliance and security management.

[deleted]

Like ISIS

Try "guest"

THIS HAPPENS ALL THE TIME!

EDIT: either this or 'admin' 'tech' or 'nurse'

He answers most of this in the other thread:

Yes Sir, most of these companies fall into the category of Managed Security Solutions Provider, or MSSP.[1] They usually provide other services such as policy review, vulnerability assessment (technical and physical), event monitoring, incident response and disaster recovery. The firm I work for deals specifically with hospitals. Due to HIPAA[2] and HITECH[3] regulations, Covered Entities[4] are required to have comprehensive assessments that include the physical PenTest I described.

And I'm pretty sure these companies don't really exist as covert ops, but as far as being covert only a small fraction of the management would know what is going on so that the test can be as legit as possible.

Edit: He also says in the other thread that only the chief of security and C-level managers (whatever that means) know he is there, so a handful of people tops.

This is correct. Chief of Security and executive staff usually know. (CEO, CFO, CIO)

Based on your observations, what precautions should patients take to protect themselves?

Ensure medical staff do not pull up your PHI on a monitor, then walk away without locking it.... Leaving charts in public areas, etc. It's hard for a patient to protect themselves, most breaches occur without the patient's knowledge. PHI commonly gets leaked through email, lost thumb drives, break-ins, careless shredding policies...

Have you ever gotten attacked by someone that thought you were actually stealing?

Not attacked. Mistakenly Tased by overeager security guard. (Explained above)

What does your family think of your job?

It's pretty normal really. I travel a lot, and usually have fun stories. They think it's interesting, but not too out of the ordinary, really.

EDIT: Terrible Engrish. I'm not even going to change it.

What other types of buildings require security checks of this nature? Are their companies that break in to museums, banks, restaurants, hotels, etc?

I know financial institutions must adhere to PCI-DSS compliance, which includes pentests. My understanding is they are more concerned with technical security, as physical security is more inherent in a financial institution.

What do you get paid?

Have you ever had to seduce someone to complete a heist?

Unfortunately I have not had to seduce anyone. :( I casually flirt with nurses sometimes. Though that is mostly just to ease suspicion.

How does your job compare to the commonly seen "heists" in the movies?

All I can picture is the Oceans 11 movie, but in a hospital.

I'm not as handsome

How often do you do this? Do you do other things as well?

I do 2-3 assessments a month. Physical is only one of three parts of an assessment. Technical review/ vulnerability assessment, and policy review are the others. Policy can be very tedious, but that's where the money is.

ITT No replies from the OP!

Read his edit

There is no edit. It was removed. What did he say?

oh no! I provided proof. Waiting for response now. I have to work in the morning so I will resume answering questions at 8:00am central. Thanks!

My friend stole a child-sized iron lung. What's the heaviest or most difficult thing you've stolen?

Now this needs an AMA.

A rack server was the heaviest thing I've ever taken. It was on the way to be decommissioned and was left in an unsecured area.

Why removed? ...

Because I was playing starcraft instead of sending proof. MY BAD!

Why did you post an AMA if you don't have time to answer questions?

Because I'm a newbie. I read the instructions and assumed you could set a go live time? I did something wrong I guess.

Scumbag OP does an AMA, answers no questions.

Edit: Nevermind!

scumbag indeed. I did post an edit saying I need sleep and will answer in the am. I did do my best to answer a few before bed. Happy reading.

So do they grade the hospitals based on how well you do in stealing or something? How does your job affect the hospitals that you break into? Do you inform any of the people that run the hospital or do you just go in there?

partly, the physical assessment is one of 3 scores. Administrative and technical are the others. The hospital themselves hires the firm I work for. I am not obligated to report any findings. The hospital can do as much or as little remediation as they choose, though they risk getting fined for a breach. Because they've had a risk assessment, this falls into the category of Willful Neglect, making the fines much larger.