I'm an ethical hacker hired to break into companies and steal secret - AMA!

Can you hack me and pm me my runescape password?

hunter2

Have you ever gotten in trouble with the law? I mean as in, the police got involved before you could pull out whatever papers allowed you to break in etc?

Companies and organisations usually rely on their own security services and departments first before escalating to the police, which is part of the process we are testing. Although we usually have a "get out of jail"-letter in the back of our pockets stating why we are there if things do escalate; we never had to deal with the law or the police and we intend to keep it that way =)

What is some of the craziest shit you've done while breaking into buildings?

There are a lot of examples that come to mind. If I had to pick a few: breaking into an ATM in the middle of a mall while hundreds of people pass you doing their shopping (and not caring because you are wearing the ultimate cyber weapon: a fluorescent vest). Walking through the basements of a dark data center of a financial institution after business hours and almost getting locked in. Replaying an employee's fingerprints on fingerprint access control readers using toilet paper. I'm sure there is more stuff that I am forgetting but those are the first things that come to mind.

Can you elaborate on this toilet paper operation?

If you are using an optical finger printer reader i.e. a piece of glass serving as the touch surface, then a latent print might be left on the reader. If the reader is wrongly calibrated and/or misconfigured then a piece of damp toilet paper on top of it can replay the latent fingerprint.

In percentages, how much of your work is hacking in the old sense, like reverse engineering, digital tampering and usurping some kind of computer or other electronic gadget? How much is social engineering, role playing and in general would not need a keyboard?

Information gathering, pretexting and recon usually (there are exceptions) takes up 3/4 of the time spent on a job. Actual time on the customer network itself is usually only a few days compared to the many weeks of preparing phishing and social engineering scenarios because we will already know where the systems are we have to access and already have gathered so many credentials to be able to access them. Most time spend after that is actually finding the target data we are after versus what user accounts and roles give access to what. Good question.

Like the movie Sneakers?

One of the better - if not the only real - red teaming movie out there with a killer cast. I love it and watch it at least once or twice a year. No more secrets Marty.

What does your hacking kit look like? Could you list some (or even your favorite) tools you're using in your daily job/life?

Here is a selection that we usually bring on the job and after carefully planning our attack plan using at least two to three attack waves spread out over a couple of weeks or months:

• USB Armory, to have a self-contained system with everything you need
• Multi-band WiFi dongles with Atheros chipset suited for frame injection
• Proxmark EV2 or custom RFID/NFC copiers for access-card stealing or cloning
• Magspoof for access-card stealing or cloning
• Weaponized PocketCHIP / Raspberry Pi / Beaglebone with LCD display for WiFi hacking using a rogue access point. But also for running tools on the go such as network manipulation, credential extraction and man-in-the-middle tools
• Rubberducky or teensy for fast typing of payloads when required
• USB keyloggers and USB extension cords either stand-alone or WiFi enabled
• Ducttape and straps to install rogue network implants for later persistent network access
• Extension cords and network cables
• Bluetooth headset earpiece to stay in contact with my colleagues keeping watch
• Lockpick kits, bump keys, jiggler keys and other lockpicking tools
• Pliers, wrench, screw drivers for breaking down a lock or door
• Camera to photograph evidence and findings
• USB thumb drives tied to a lanyard and old keys to be "left" in bike sheds and parking lots containing interesting and enticing content for the lucky finder
• Fake paper access card and badge holder
• Banana, bunch of papers or other things to hold in your hand. People who have something in their hand walking around the building are usually not regarded as suspicious
• Disguise and clothes if you have to switch roles. You might have come into the building as the smoke detector check-up guy and might have to transition to a suit and tie to be able to get into the executive offices in another wing of the building

So a white hat hacker? Also whats the easiest way you've broken In?

Knocking on the window of the kitchen at the back of a large office building where the target office was located holding a box that was empty.

What is the weirdest thing or setup you encountered during paid or unpaid hacking?

Finding video surveillance and access control management systems exposed to the internet without firewall. Finding "this is the backup of the entire website.zip" in the webroot of a production server for a bank. Being able to guess the password of the network connected guest badge allowing us to print our own guest badge every day and just walk in the building (the password was 12345). Production level financial information servers running under the desk of a sysadmin because of internal IT politics and tensions. A company with a garbage container outside containing hundreds of computers and hard drives in perfect working condition containing passwords, documents, financial records, etc.

Once breaking into an ATM in a major retail chain we triggered the seismic alarm and it started to make a lot of noise. When looking around no one even looked at us. Until a child, trying to go through the revolving door to get into the mall, touched the glass wall of the revolving door triggering the alarm and stopping the door for a couple of seconds as part of the security measure. The glass revolving door alarm sounded exactly like the seismic alarm of the ATM and thus no one cared =]

What was the size of your red team when you started. Do you have a team that competes in CTF events?

A red team assigned to a job usually consists of 3 to 4 people depending on the skill sets that are required with 2 people being on the job on a constant basis over a period of a few months in order to ensure realistic results and responses from the target company. We sometimes compete in CTF events if we have time.

how do you feel about contractors contracts significantly limiting your attack surface?

We usually get in pretending to be the contractors themselves

This sounds like a dream job. when it comes to legal means in attacking networks. Are there any tool, methods that are actually illegal?

If you think this is a dream job, we are hiring: https://www.f-secure.com/en/web/about_global/careers/job-openings

This is all dependent on the country you are performing the services and where the company is chaired along with other constraints and good taste. We stay away from any kind of attack that involves blanket denial of service attacks, radio frequency interference, invasion of personal privacy of employees and their personal living space, etc. Unlike Hollywood's portrayal of hacking, we don't trigger the fire alarm or other idiotic things like that. We don't ask people to sell their stock or to perform something that might involve endangering them. We are allowed to hurt people's feelings though once in a while ;)

We are allowed to hurt people's feelings though once in a while

Can you name some examples of this?

Trying to invoke an emotional response from someone in order to make them do something on our behalf. Either by making them feel they will miss out on something or by embarrassing them but with minimal exposure to anyone else without long term effects.

Stupid example: if you want someone to click on your link in the email you sent them so that you can run your attack code, send them an email that looks like the subscription email to an adult website thanking them for joining the <some group>. You have never seen someone in an office click the unsubscribe links that fast.

How did you learn to do everything including experiences and education history?

Work as a system administrator when security consultancy simply didn't exist. Work as a network engineer and web master. Learn about where companies drop the ball when it comes to inter-company or inter-department communication and responsibilities. Learn where companies cut corners and try to exploit those. Learn social engineering and what drives or upsets the meatware i.e. the people working there. Have expert knowledge about operating systems, networks, web, mobile and other facets. Check out this list of tips to get started: https://safeandsavvy.f-secure.com/2017/12/22/so-you-want-to-be-an-ethical-hacker-21-ways/

If someone is planning to learn a computer programming language, which language would you recommend to that person, which would help the most in pen-testing?

Everything is geared towards Python these days so having proficiency in Python and scripting languages such as Powershell/Bash/etc will give you a lot of options when having gained access to systems or when wanting to develop something. Check out the grayhat hacking and blackhat hacking book series.

Thanks! Python 2 or 3?

(I guess both, probably...?)

Yes.

Sorry if this already got asked, but what’s your opinion on shows like Mr Robot? If you watch it, how possible is a scenario like that? Do you feel like the show addresses all parameters required to pull off a hack of that scale?

Mr Robot is being praised for its realistic portrayal of hacker tools and attacks and it is indeed a fun show in how they show how simple it can be to compromise something. They get the occasional thing wrong and I always find it refreshing to hear Sam Esmail and team talk about how they actually fix the things they got wrong afterwards. But it is and remains a show. I don't think we are going to see anyone trying to melt backup tapes anytime soon but I like the cyberpunk aspect to it ;)

I read that you are from Belgium. As a Belgian Computer Science student who is also interested in (Software) Security, is there any University in Belgium that you recommend for getting my Masters?

I am no longer living in Belgium I'm afraid and my school days are long over. It all depends on your interests and what it is you want to with information security.

How do I protect myself as a normal user best from cyber attacks?

Give these tips a read: https://safeandsavvy.f-secure.com/2017/01/27/what-can-i-do-to-preserve-my-privacy-and-security-4-tips-from-mikko/

Have you ever hacked all the things? Have you ever managed to drink all the booze?

I wish

Physical access to equipment grants you an open door to the entire system...that is easy

Has the government ever used your services? DoD, NSA, etc. Places where if you are caught attempting entry you’ll meet a 556/762 or 9 round...

Without physical access, what is your success rate?

Then, also...what industry typically has the best hardening?

I am based in Europe so we do not deal with DoD or NSA etc. For places where physical entry is very difficult we try to get as close to the target as possible. That means dropping USB thumb drives on the parking lot or just sending employees backdoored USB gadgets using postal mail with a thank you letter for their attendance to <conference they went to last week and made a big thing about on LinkedIn>. That can also include phone or email phishing to entice employees to give us their credentials so we can re-use them to log on to their services such as VPN end-points, web portals, etc. As far as the success rate of physical access, it is very hard to put a number on that but on average 4 out of 5 companies can be compromised with a physical premises access attack as the initial breach. Although we do not stop there and try the other methods as well e.g. phishing, wifi "evil twin" setups etc

How would one get started doing this?

Start here: https://safeandsavvy.f-secure.com/2017/12/22/so-you-want-to-be-an-ethical-hacker-21-ways/

What are your favourite ‘war games’ and ‘hacker challenges’ ? From a 2nd year comp sci student looking to go into security!

Try http://overthewire.org and http://cryptopals.com and get involved with their communities. Look for any kind of challenge be it system or network based. SANS.org usually has a recurring hacker challenge e.g. their holiday challenge, as do the major conferences which they archive for later download and replay. As far as originality I like http://www.pwnadventure.com a lot.

Have you ever seen the show White Collar? If so, what are your thoughts on any of the cons on that show? Your story had me thinking of the ep where Neal/the FBI break into a bank to demonstrate weak points in its security.

I have not, will check it out thanks.

What are the books that you would recommend to people who are already into hacking and who would like to acquire more knowledge on different hacking techniques as well as the way of thinking?

It kind of depends what domains you want to get better at. Most of the skills that are required are expert sysadmin skills, being able to program and script things together and having a solid understanding on how the technology works. But, also understanding what the caveats are of that technology being used in an organisation and how it can be used against that organisation. And for that you need to know what the daily tasks are of a sysadmin, network administrator, developer and deployment environments, how code gets distributed from the IDE to the production environment, how email environments work, etc. Basically how a company works and how it functions.

Rather than going the "hacking exposed" and other book series way which are more tool related and which will not help you in understanding; I am a big proponent of playing war games or hacker challenges. Learning by doing and getting your hands dirty on your own lab, writing your own tools and code is going to be the most productive for you to learn new things. But from a pure technical side I always recommend the following books as a bare minimum:

• The art of software security assessment
• Exploiting software and how to break code
• The tangled web
• O'Reilly's Network security assessment - latest edition
• The web application's hackers handbook
• The browser hackers handbook
• Mobile application hacker's handbook
• Grayhat Python
• <Any book on your favorite operating system>
• <Any book on your favorite programming language>
• <Any book on TCP/IP>
• <Any book on ITIL and IT processes and procedures>
• All the books I forgot for which you are all facepalming right now

Is protocol fuzzing something you leverage in your approach? How common is fuzzing in hacker community?

Red teaming seems to be a method of finding the weakest security links possible, but what about slighty more difficult vulnerabilities that you dont attempt to find bc they take too long to discover or you just miss them? Do you suggest more significant security program change within an organization after you exploit the low hanging fruit?

Thnx!

Fuzzing is more useful if you want to find vulnerabilities in a certain piece of technology. It is extremely rare we use fuzzing as part of a red team test but it has happened that we were able to fingerprint what software a company was using as part of their daily tasks, find vulnerabilities in it and then exploit those in a way that advances us towards our objective.

There will always be things that we do not find as part of a red team. We only need to find one way in. If a customer is interested in finding as many vulnerabilities as possible in a given solution, technology or process then we can offer that service to them as well but it kind of goes beyond what a red team is trying to achieve. Which is to test the resilience and monitoring capabilities of an organisation against a targeted attack where the attacker picks the attacks, not the defender. Once the detection mechanisms reach a certain maturity and most low hanging fruit is found, then and only then as part of an iterative process can more controls and processes be introduced.

Are there any programming languages that are better to learn specifically for ethical hacking?

If I had to pick two, python and powershell will help you the most, in no particular order.

I'm curious how you reconcile "ethical", "legal means", and "steal corporate secrets"?

Very good question. We try the worst case scenarios for companies to see if their investments actually make sense and if their model for the shared responsibility of information security (notice the absence of the word cyber) is actually able to detect a targeted attack in progress across different domains i.e. physical security, social engineering, network security etc. The information we have to obtain is usually very sensitive in nature so we propose a model where both parties can accept the risk and show value. If we need to break into a mainframe or database then demonstrating the user account, role and privileges of the account we used can be adequate for a customer. Some customers ask us to supply a specific customer record to prove the compromise, a number of lines of source code from their flag ship product, transferring 1 euro from one bank account to another, recovering a red envelope on top of a network rack, a selfie in the chair of the CEO or the board room, etc. We show them what is possible and what the damage could have been by actually doing it and not just talking about what-ifs and hypotheticals that can be downplayed by less-than-informed management of a company not knowing what risks are out there. But at the same time we do not want to be liable for having a copy of a sensitive database as that might have all kinds of implications for both sides. We keep it legal and have to come up with alternative ways of testing if we cannot perform a test directly. Example: A customer asks us to prove that we can access the customer meeting areas of their building and thus obtain sensitive financial information by planting a microphone under the table. Unfortunately this is not legal at least not in Europe. But to obtain the same effect we put a nice sticker under the table and photograph it, rather than a microphone, proving the same point. See it as hitting someone in the face with a pillow, rather than a brick. Same techniques and methods but without the nasty aftereffects.

How "lucky" is it for you that meltdown and spectre happend? Can you use that for future jobs?

There are easier ways to get into organisations than using these kinds of attacks which take a lot of planning and which might get you caught. But if we were to attack a VPS or cloud provider right now, it would be on our list of attacks to try it. At least until the window of opportunity closes and companies figure out what mitigation path to take in trying to respond to what we are seeing now as a result of spectre and meltdown. We usually focus more on the more systemic root causes of why breaches happen which is departments not talking to each other, shared cyber risk responsibility and not being aware of attacks across their organisation globally, among others.

What's an invaluable piece of equipment we wouldn't think of?

A stepladder

Do you enjoy your job? I work server administration and I find myself disliking it more and more everyday. I would rather be breaking in than patching holes constantly it seems. I would like to learn more hacking do you have any educational sources you recommend?

I do - because I get to use my own creativity in order to see how far I can push a scenario that might result in compromise and use/develop some custom tools and techniques along the way.

Hi, how are you? how can someone has been able to steal my BTC's from a hardware device, without having the words, the device, neither the computer being compromised?

Sorry to read about your Bitcoins. I am not familiar with the TREZOR device but as an attacker you always want to attack the weakest link in the chain. Which is usually the end-user using the technology and the user interface and credential recovery mechanisms exposed to that user. If I had to target someone using a hardware device of any kind I would probably go for the keylogger and/or computer compromise angle to be able to hijack access to it, rather than trying to attack the device itself.

I'm looking to get my CEH so I can get into the industry and eventually get my CISSPA. I currently have a Bachelor's in IT. Are there any courses outside of the certification prep you would recommend? I already have the fundamentals. I'm looking to further my knowledge and want to make sure my money is well spent. Thanks for doing this!!

You have to ask yourself what you want to achieve. Certifications really suck for learning anything. No one learns painting, karate or tennis - let alone hacking - in two weeks using a single book. I would suggest playing wargames, and hacker challenges to get your technical knowledge up and reading books and following selective courses or seminars on other areas such as security best practices, security management practices etc and see what is you like and don't like. The world of infosec is huge nowadays so don't get hung up on one single direct and organize a virtual tour or safari for yourself to see what areas you like and don't like. Good luck

Yes, find any indications of employees being ostracized?

Every company has politics and the usual amount of rope-pulling between departments. We are not interested in the people themselves, only the processes, the training employees had and the technology they are using.

Hello, what is your primary laptop and os?

Anything that runs the tools and software required. No preferences here.

I'm an avid follower of yours on Twitter and remember reading with interest the work you and your team did on the Stuxnet stuff. I'd be interested to hear what quals you have in terms of Ethical Hacking/Pen Testing or if you are self taught? And if you have gained official quals to what extent do you think they help you in real world scenarios?

I cannot take any credit for the stuxnet part of your question. Most of us are self taught and find ways of ensuring that our knowledge stays up to date to be able to attack the customer infrastructures of tomorrow. If tomorrow someone uses a new cloud platform then it is our job to find out how it works and learn about its intricacies in a way that even the end user doesn't know about. Having an inquisitive mind combined with reading and trying things out for yourself will ensure you are successful. As time can be limited I recommend taking courses on specific topics in order to force yourself to focus on one topic as part of a deep dive and then to find out what tools you could be writing to make things easier or better for yourself.

I've just landed my first infosec job as a Consultant at a unicorn cybersecurity startup. My question is: How much incident response do you do? How difficult is it to transition into a redteam-focused role?

Keep at it for at least a number of years and/or a few major cases at the very least! Incident response is invaluable in giving you insight into how a company works, what constraints there are when it comes to IT and processes, how an attacker operates from initial breach to lateral movement to persistent remote access and what can be done from a defender's approach. There is a lot of BS and blinky light vendors out there selling snake oil. Try to find out what works in what situations and what doesn't. The best poachers are hunters. You want to be both.

What is the best job title to apply or search for if you cant pass a background check or ethically choose not to involve yourself in top secret dealings? Is pen testing the place where everyone goes if you are "overqualified" for every other computer job?

A lot of people not wanting to do this kind of work will go into incident response, security architecture or will specialize. There is no such thing as over-qualification only having skills and experience. I have seen people go back to development or sysadmin work. It all depends on the levels of engagement and stress you want to subject yourself to and in what setting.

This is all well and good, but can we get some proof like an oficial contract between a company and your team? I'm just having a bit of trouble believing any of this.

Our customers and their names are confidential I'm afraid. As far as my personal proof you can find my bio here: https://press.f-secure.com/speakers/ As far as our service I can only redirect you here https://www.f-secure.com/en/web/business_global/red-teaming and can only recommend you to get in touch with us to talk red teaming.

Have you ever had the opportunity to break into a bank as part of your agreed surface for attack?

Also, would you suggest different RFID access locks between the building's general tag and the more secure areas? I'm trying to get the boss to see that the system might have issues with related key attacks (if the tokens are encrypted terribly, which older ones atypically are). So any stories about how to attack setups like that would be handy to build my case.

We have broken into bank and financial institution headquarters, branch offices in forsaken towns and cities, data centers, ATMs, insurance offices, etc.

For RFID access locks I can only recommend that you perform a threat modeling exercise first to see what benefits the RFID part gives you versus traditional locks versus other security controls. MIFARE DESFIRE are usually the generation of cards that have the highest level of security when it comes to being able to thwart someone trying to clone the card. But that shifts the risk towards the maturity of the company of being able to manage the key material and other facets that come with running access control systems and the eco-system of employees versus the cards they carry. But whatever you do, protect your access card.