In the latest installment of the UNSECURITY podcast, “Ben” joins Evan once again to give us the lowdown on what he has been up to lately and we take a deep dive into responsible disclosure. His latest project has been enlightening, to say the least.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hello listeners and welcome to episode 39 of the Unsecurity podcast. My name uh, for those of you who don’t know already is Evan Francen, I’m your host for today’s show again. Uh scheduling stuff. I guess for security people is always a pain in the ass and this week is no different. We’re recording this show on friday. We won’t release it until monday because I’m out of the office next week. Uh, and this is still Brad’s vacation week. So he’s out of the hand for hosting this week. Um, which means that I get to be your host again. I guess. That’s pretty cool, Brad will be back next week and we’ll have the show planned out for sure. Now you don’t want me to sit here and you don’t want to sit here for like we do like an hour show. I think you don’t want to sit here and listen to me all week. So I invited someone last minute to join me. I think it was last night. Maybe. I think we finalized things. I found Ben, you want to say?

[00:01:19] “Ben”: Hi everybody.

[00:01:20] Evan Francen: wow, you sound good. Ben. So Ben does Ben uh, and thank you again. Seriously for agreeing to join. You were planning on not even coming into the office today. But you came in to do the show and then you’ll head out and do family stuff. Yeah, that’s cool. So for those of you who don’t know Ben was on a show before he was on episode 14. This is episode 39 Pen. You’ve been gone for 25 weeks. Uh, that was back on February 11. This is like august something, wow. Yeah, while some number. All right. So Ben is not your real name, right? No, no, it’s not. So why why do we call you Ben? Why why do you prefer us to call you Ben? I mean, I know the answer, but I don’t know if the listeners do because I think it’s cool.

[00:02:11] “Ben”: So I I prefer a certain amount of anonymity and immunity and yeah, let’s call it.

[00:02:22] Evan Francen: And you don’t want people to know who you are.

[00:02:25] “Ben”: Okay God I do, I do enough research and innocent other companies to realize how devastating it can be when your personal information gets out there. So try and limit as much of my own as I can.

[00:02:39] Evan Francen: Sure. So for listeners ascent is open source information or intelligence gathering. Right? So its intelligence gathering now. Uh, plus you also do quite a bit of social engineering. Right? So you don’t really want your face out there. You don’t want your voice really tied back necessarily because you do social engineering attacks physically. So if they see you, Hey, I saw you on a video once. Who the hell? So I get that your voice, you do a lot of phone social engineering attacks. So there’s that piece too. So I get it. Plus I don’t, I guess it kind of comes with the territory. I’d rather, some days I’d rather not be known. You know, it’s just, I was at Caribou and uh some guy who was, this was like last week, he was delivering um uh like linens or something, you know, uh those, those mats that you walk on, right? And he looks at me funny and I looked at him funny, you know, it’s kind of awkward like, do I know you? And so, so he asked me do I know you and like, I don’t know, do you? He’s like, you know, so we’re trying to recollect, you know how we, you know, might know me. And I said, well, did you watch the news last night? He’s like, yeah, I was, I was on Kare 11, you know, maybe you saw that. Oh yeah, because you have this distinct beard now, right? It has nothing to do. He probably didn’t hear a damn thing. I said, you know, he just saw on the news, this guy with a big beard leon, it’s interesting looking fella, you know. Anyway, it’s good to not be known sometimes. I think So. Uh yes, you were back on episode 14. I thought it was a great talk back then back, a lot of lots of things have changed since episode 14. Uh the podcast is grown. We’ve got some better equipment now. You’ve grown. I mean, holy crap, you’ve done some really cool stuff we’re going to talk about today. Um but this one, you know, I think this episode is definitely gonna be better. Right? We have some things to talk about specifically um for a guy who used to do some of what you do not to the level that you do it for me. I think you’ll live a damn cool life. I mean, I think it’s just cool stuff that you do, man. So I want to talk about, you know, some of that uh you know? Cools relative, Right? Cool. For security people for sure. Maybe not cool for everybody. Some of us will be some people who don’t do what we do, look at us and go, you guys are just crazy, right? Whatever. I think it’s cool. So we’re gonna do a conversation with with you Ben topics. I would like to talk about. The first topic I’d like to talk about is some of the research that you do. So you spend time, I think a good amount of time at work. But even, probably more time outside of work. This is almost this is a lifestyle for you. Uh what do you feel like what can So this research is ongoing? The current research project. And so I want to be sensitive about what we disclose here, um what can you share about kind of the current research project.

[00:05:55] “Ben”: So right now, the research I’m working on is primarily involving short links. Okay, so link shortening services and the information that they expose that they have inside their databases there. So don’t name any names or call out any short neRS or get into the details too much about the data. But yeah, it’s it’s pretty interesting to see what people’s behavior is with links Ortner specifically and online. And that’s it’s kind of the big thing that I really get into is trying to understand human behavior. It’s why social engineering works. It’s why you can influence other people’s decisions and uncover some really interesting information. Right?

[00:06:43] Evan Francen: So you and I work together. So I know, you know more, I think more of the details about, you know, your current research. And to me, it’s it’s fascinating for on one case, it’s fascinating to think that this hasn’t been found before. You know what I mean? Because it’s just there. It’s out there, right? It’s not you’re not doing Yeah, super sleuth the hacking type things. You’re you’ve found something that’s just exposed.

[00:07:15] “Ben”: Yeah. And it’s I I did find after doing a lot more research after I’d already started this project that to researchers from Microsoft actually dove into this space a little bit Years ago, but they published a report in 2016. Their research was done over the course of a year and a half prior to that before it was released. So the data they were talking about was focused around link shortening services that don’t even exist anymore. So this is very stale data and that’s the latest research that’s been out there that I could find. So taking a new look at it, fresh eyes on it, they were more focused on primarily the malware or the fishing implications like what would happen if you click on a malicious link, things like that. Whereas I’m finding there’s there’s still a lot of that out there, but it’s it’s becoming very apparent that there is much more than just that. It was much more than just the malicious aspect of it. It’s people are effectively creating a gateway into their administration portals in a certain pieces of their applications or their infrastructure and data stores and yeah, in data stores and just exposing it, they might not even realize that this is, this is public information. This is if you just keep looking for it, there’s nothing to stop you. And some of the application vulnerabilities that are inherent in these you click on a link, you might not even know what that link is doing with all the get parameters on the end. Right. But some of them have clicked on. I’ve inadvertently, it’s taken me right into their administration portals. Yeah. And it’s authenticated authenticated and it scares the hell out of me.

[00:09:09] Evan Francen: You and I talked about that

[00:09:11] “Ben”: because I’m like okay I did not intend to log into anything. And there’s nothing in the link that says I’m going to just here’s your here’s a token. I did. I was like oh maybe it’s specific information that’s going to load up some some session data that’s public. No, no it’s the admin portal. Yeah. And you’re in it’s like oh my God this is bad. Right.

[00:09:37] Evan Francen: So you’ve been doing this research, this one particular research project. We were just talking before the show for four months and you’re still gathering data and you’re still uh mining through that data to find out what the true extent of this vulnerability might be. Um And I know you’ve already reached out to some of the ah don’t call them victims but you know organizations that are at risk because of what you’ve been finding um Which brings us into a whole nother piece. Right? Which is this responsible disclosure? You know I think but before we go there ah I’d like to understand more because I know there’s plenty of aspiring sort of researchers out there. What makes it in your opinion. What makes a researcher to researcher? What makes them good at it? Is it like I don’t know it seems like this curiosity you have that others don’t, is that part of

[00:10:38] “Ben”: it? I think I fervently believe that anybody can do anything they want to do, you can learn anything you want to learn so long as you have the drive to do it, you can do it. So if something interests you and if if anybody has kids, you know, okay, if they’re interested in something, there’s no issue getting them to do it right. If they’re not interested then it’s going to be like pulling teeth and you’ll have tantrums, it’s not gonna work. So finding something that really interests you that sparks a curiosity that really helps me. And actually what started this whole research idea was completely random. And inspiration comes from all different sources. Uh this whole topic that I’m researching came about when my dog eight Something and I have no idea what he ate at the time and he was going out every two hours at night, friday night and I wasn’t getting any sleep. He kept waking me up having to go out and do his business in my backyard and think about the fourth or fifth time I got up with him, It’s like 3:00 AM and like I’m not getting any sleep tonight. He’s just going all over the backyard. I have no idea what he ate. I’m gonna have to go back there and take care of that and look through all the bits to figure out what’s there. It’s like white bits and the stuff and looking through all the junk out there in the car. No weird. That’s that’s what kind of started the link shortening research is. Yeah. There’s people just throw the stuff out there. They shorten anything that comes in their mind and that’s what started it and just tiny little sparky curiosity comes from anywhere and you just roll with it when you can and see if anything interesting happens.

[00:12:30] Evan Francen: That is interesting. So yeah it’s it’s so fascinating how the mind works. You know how it can take you from one place to another place and sometimes you know you just want to let it let it do that. Right. Yeah. That’s cool. Alright. So the dog, we have the dog to think for this cool research. Now, do you have any any idea or have you thought of when when this research this you know might be public where when you know we can it’ll be shared publicly so that people can um use it

[00:13:09] “Ben”: hopefully pretty soon. Okay. Um I have We’ve got over 10 million data points right now in the research that I’ve checked. But originally I was going to release everything because I’m very, very open about security research and security work transparency. But after seeing some of the security concerns in this open data, I just keep reminding myself of the aggregation of data principles Okay. Alone, it might not be that sensitive or secure but when I aggregate everything together, I’m creating a massive database of a taxable targets. So until we get through responsible disclosure and really do the responsible thing and let all these companies know and give them time to mediate. I won’t be handing out any of the actual data. I’ll be hopefully sanitizing it pretty soon and putting out a report with overall statistics. So hopefully look forward to seeing something like that to Cool,

[00:14:15] Evan Francen: cool. As a fellow, I don’t research much anymore but as a fellow security professional um I understand the great amount of work that goes into this kind of research. I appreciate it. Um and it makes us all better. So you know, I’m grateful for the work you put in on this and I’m excited to see the conclusions and keep hearing, you know about the cool things that you’re finding along the way. It’s really neat uh which brings us to the, you know, you mentioned disclosure and responsible disclosure and that’s a challenge. I think for many researchers is you know, I have to because you have competing interests, right? Excuse me. On the one side you feel this obligation to let let whoever no. About it. But then on the other side, you also want to let the world know because the world has a right to know about some of these things. But then you also have this piece where and you and I are not much for I think taking credit on stuff but you also don’t want somebody else to take credit for your hard work, right? And sometimes, you know like some people who take credit for their research do it so that they can make a name for themselves, others want to take credit for the research so that they can attract more people build a name so that people will help and people will follow and people will join you in your mission. I think you’re more like that than you are just to make a name for myself because then you just be ben nobody there’s lots of bends so we’re struggling with this responsible disclosure. I know you and I have had plenty of conversation about it and I know you’ve had conversation with other members of your team about responsible disclosure and that there is no one way to do this. There’s no like responsible disclosure handbook to follow. So tell me about your frustrations right now and kind of working through that.

[00:16:22] “Ben”: So yeah, responsible disclosure is an interesting thing because a lot of the times with some of these companies you don’t even know who to talk to write, who do even do you contact him by phone by email. Is there a channel written out in policy a lot of these places that I’m having to contact. They don’t have any vulnerability reporting platforms. No, no bug bounty programs that they’re involved in. That would be easy to say, okay, here’s a channel in to let them know there’s an issue. A lot of the companies I actually have to do more research, more innocent open source intelligence to track down who do I even talk to you that would care and that would know what to do about this. And uh when contacting these people, it’s, it’s very interesting gauging the range of reactions, right?

[00:17:14] Evan Francen: Because you don’t know if they’re going to fight you or if they’re going to be like, oh, thank you

[00:17:20] “Ben”: so far, all of the feedback has been pretty positive. Thank God. Yeah. Okay, well thank you for bringing this to our attention. Can I have the data? I’m like, absolutely, this is effectively your data that’s been exposed. Here’s everything I have on you. Um, but some people can’t even get a response. They don’t even want to hear

[00:17:42] Evan Francen: from you or

[00:17:43] “Ben”: it doesn’t seem like maybe

[00:17:44] Evan Francen: they think they’re getting scammed,

[00:17:45] “Ben”: right? And I have had that before too were calling up some of these people and they’re like, yeah, your email sounded really fishy. It’s like, well that’s sorry, that was not my intention to make

[00:17:56] Evan Francen: funny phishing phishing email. There was no link in it. Okay.

[00:18:00] “Ben”: Said and trying to get a conversation with these people and they, I don’t just want to send all the information to this person that I think you also talk to you

[00:18:10] Evan Francen: also have to validate that they can receive the data.

[00:18:13] “Ben”: Yeah, it’s the chain that I have to follow to make sure that this data is safe and getting into the hands of the people who need it and can act on It is tricky because it does look a little fishy when I send an email to companies saying, hey, I found some your stuff. This is an attempt at responsible disclosure. Please. Can we have a phone conversation or follow up emails. Right. And some people just go dark. I never get anything back and other people when I talked to him and start going through the vulnerabilities and through the issues, some of the, some of them are mitigating controls they bring up just won’t work

[00:18:52] Evan Francen: well. And it’s like, I don’t give a crap about your mitigating controls. I have your data, right? Yeah. You know what I mean? That’s great that you’ve got all these other things, but I’m something I’m talking about, right? So there’s a challenge. One in responsible disclosure. There’s a challenge. First in trying to find who do you disclose it to? So a good tip for companies uh, is to make that known. If you have, you know, uh, I don’t know, maybe publish it on a website. Maybe you do subscribe to a bug, bounty service or something someplace where it makes it easier for researchers to find the right place to report these things that would help. Um, and then when you the challenge of when you do get the name of the person is getting responses, getting the right response is getting them to, you know, take you seriously, you know, that’s, that’s all a challenge to. And I don’t know if you ever think like as you’re going through all of this stuff like what the hell is the use, I mean full disclosure would be so much easier, right? Just plop that stuff out there and say deal with it, you know? Uhh So I think responsible disclosure is more work. It’s harder. Oh yeah, definitely. Uh But you know, I guess it makes you, I don’t know for me, it helps me sleep better that night knowing that I gave people an opportunity to fix something. They didn’t even know the hat. Right? So then what are you going to do or what are we going to do or what’s going to happen? Uh If you do have somebody that says, you know what I’m gonna I’m gonna fight you, I’m gonna sue you, I’m gonna do whatever. I mean, I don’t know what groans they have because the research you’re doing, you’re not intruding on anything. You haven’t hacked anything, you haven’t bypassed any of their controls. So I don’t they wouldn’t have a case but you still have to be prepared for that because some people are not rational.

[00:20:55] “Ben”: Yeah, I suppose just explain to them that when they put their information out there in these services, they’re dumping that piece of information into a server that they have no control over. So they they can try and say, well stop attacking us. But really I’m not attacking anybody, I’m I’m not attacking you, I’m looking at the information they’ve dumped in a server that they have no control over.

[00:21:23] Evan Francen: Right? So this is this is a data exfiltration channel that they don’t know about

[00:21:29] “Ben”: you. And the majority of these organizations, the people exfiltrate in the data that’s sensitive are people who work for those organizations. Okay, so a lot of this,

[00:21:40] Evan Francen: so they open this whole on purpose but not knowing,

[00:21:44] “Ben”: yeah, not fully comprehending their actions and where they’re putting this date and where they’re sending it to and how easy it is to get to it.

[00:21:53] Evan Francen: So you’ve got and I know you’ve submitted a couple of places to give a talk about this new research. And I’m really excited to when uh when those talks get accepted and will be when, because I think it’s a very interesting talk that and it’s a new thing that, you know, people like to hear those, so you’ll definitely get accepted wherever you’re going with it. Um but let me know which one is the first one. I want to be in the audience. I’d love to just love to be there. I think it would be so cool. Yeah, definitely. So um alright, so your head, your neck deep in this, head, deep neck deep whatever you’re deep into this research at the same time, you’re working through responsible disclosure at the same time, you’re working full time, you know, trying to pay the bills for your family. Uh I mean, I guess, you know, in some cases this is the life of a security person, right? I mean, we work a lot of hours and a lot of times when we’re not working, we’re working. And I think that’s the case with you one day, uh, we’ll talk more about responsible disclosure. Your you’ll be going to defcon this week and you will be running, I’m guessing you’ll probably run into some other researchers. And it would be good. I think, you know, if you do run into some to have that conversation about responsible disclosure and really create, I think the industry could use a single handbook of this is how you do responsible disclosure. Yeah. That would be nice that everybody could follow. Yeah. And then even get it accepted by, you know, almost like, uh, like N. I S. T or the legal community or something, make it some sort of a standard. So then you don’t have to worry. It’s just one less worry. Like if you follow this path, you will be exempt from, Yeah. You know, legal liability or criminal prosecution, you know, those types of things. That would be helpful, I think, wouldn’t it? Definitely? So if we can get some traction there. But, you know, going back to one of the things, you know, we we work a ton of ours, uh, you’re doing this research much of it on the side. It’s there’s no pay for it, right? I mean, this is just something you do because you love what you do, and I think in your heart you love helping people because I’ve seen you do it so many times here. Um But one morning you you came in, so I I come in early a lot in one morning, you you usually the second or third person to come in good morning. And we caught each other at the front desk and you looked kind of exhausted. You were tired that day. And so I just was just asking you, you know, how are things going? You know, And you were like, well, just got back from bismarck and went here. I went there, I was doing all this social engineering stuff. I mean, you were attacking uh you know, paid for and legally attacking all these organizations. Um Because you also do a ton of social engineering exercises. You lead the social engineering practice here at f are secure. Um Let’s talk about some of that. Let’s talk about some of the social engineering stuff because it’s always fascinating to hear your stories you’re mentioning. I’m not gonna prompt it too much. Well maybe I am. You were in a dumpster.

[00:25:08] “Ben”: Yeah.

[00:25:10] Evan Francen: Tell us about your latest dumpster dive, or is it the latest?

[00:25:12] “Ben”: That is the latest? Okay. Yeah, dumpster diving. The most glamorous part of social engineering.

[00:25:18] Evan Francen: Well it depends on what kind of dumpster diving into, Right? If it’s a restaurant. Yeah. No.

[00:25:22] “Ben”: Yeah, no, I yeah, I didn’t have my gloves on me this time. So I touched something in that dumpster and my hands smelled so bad. I must have washed him in this dumpster you’re talking about. Yeah, I must have watched him a dozen times. Just could not get that sent out a couple of days. It was gross. But yeah. So work hazard, yeah, hazard stuff um in this dumpster, which is a very common practice for us to check dumpster diving is a, it gives some payoff. So, over the course of all the dumpster diving, I’ve done you have been in a lot of dumpsters. Um

[00:26:01] Evan Francen: You’re worth more than that. I

[00:26:05] “Ben”: found some interesting bits of information here and there. Some sensitive information gets leaked or dropped in the trash. I mean the occasional occasional board meeting notes where the company is going financials for for the organization, things like that, occasional sticky notes with, you know, credentials on them. But this time in the dumpster, I’ve never hit gold like this. It was, it was ridiculous. It was a paper printed both sides With over 111 credential sets for everything. The organization does these names, past his names, passwords, clear text. The banks, they use all the sites they log into and it’s just clear text thrown in the trash. And I was shocked. Uh huh. And I I just can’t believe that that was a common practice that was so prevalent, they just instead of securely destroying a document that’s sensitive, they just threw in the trash. Mhm

[00:27:16] Evan Francen: And you went and talked to them right?

[00:27:18] “Ben”: Yeah. Yeah. And and getting because I can’t be responsible disclosure right?

[00:27:23] Evan Francen: Because this was the company that you found the the information that you found belonged to a company that wasn’t our customer. So you went and responsible disclosure to the company that belonged to.

[00:27:36] “Ben”: Yeah. Yeah it was it was a dumpster on public space. But I had to track down this company at first I thought it was the company I was targeting. It was like wow this is this is huge. It’s going to be great report. Yeah.

[00:27:50] Evan Francen: Right. Winning.

[00:27:52] “Ben”: So but then I realized after doing some looking at what this data was that? It wasn’t my target.

[00:27:58] Evan Francen: Oh shit. Excuse my language to say that. Hopefully though, maybe they’ll edit that up. Oh crap. Yeah.

[00:28:06] “Ben”: Okay. It’s like what am I going to do with this? So track down the company went up and tried to find a person to talk to the and eventually got face to face with the person who’s like look I found this in your garbage and the reaction was like what you were in the garbage? Why were you in the dumpster? Well rather

[00:28:31] Evan Francen: than the fact that you’re holding user names and passwords for everything. Why were you in the car? But yeah why why

[00:28:36] “Ben”: would you be in a dumpster? It’s like well here here’s this paper. This is why because

[00:28:41] Evan Francen: I’m homeless. Just look at the paper

[00:28:44] “Ben”: so hand it over to him and it just gets back to more of the social engineering. The more the human interaction, human behavior is just fascinating to me. So hang in this back and it turns out it was standard procedure right there

[00:29:00] Evan Francen: like Yeah. So what it’s like

[00:29:01] “Ben”: yeah, everybody’s got one of these, it’s like what?

[00:29:05] Evan Francen: No, No, No, No, No. This is 2019 people. Oh my gosh.

[00:29:10] “Ben”: Yeah, please don’t print out clear text credentials.

[00:29:13] Evan Francen: So then you gave them advice. Look bad bad, bad, seriously bad. You need help. Right? It was kind of an intervention at that point I think is kind of what I took away from you telling me this story before. Even if you don’t hire us, if you don’t hire fr secure hire somebody anybody, please to fix this issue. And you showed me a snippet of of of the data. Yeah. And it was bad habits even in what they were doing in the data. Right. I mean even the credentials, it was bad habits were being followed. So yeah, that that company needs some serious

[00:29:53] “Ben”: help definitely. That’s yet bad

[00:29:56] Evan Francen: big risk. So any other, you know, cool, latest social engineering sort of things that that you’ve been doing I know you’ve been doing a lot of night research on social, enjoying a lot of night surveillance. A lot of

[00:30:11] “Ben”: lot of sitting in the car. Yeah watching and waiting for the right opportunity.

[00:30:16] Evan Francen: Wasn’t there a data center in indiana That you got into in 10 minutes?

[00:30:23] “Ben”: Yeah from the from the initial point of attack after all the reconnaissance sitting in the car for a few hours.

[00:30:31] Evan Francen: That’s the thing that people always cut short is recon

[00:30:35] “Ben”: recon is so critical. If you if you don’t reckon your target if you don’t know what you’re doing you’re going to walk into a bad situation right?

[00:30:43] Evan Francen: It pays off. I mean 10 hours of recon can save you and we can save the whole project. Right? I mean but you got to be watching the right things and actually paying attention because I think you were doing recon with somebody was another uh team member on one occasion and then there’s another occasion but one occasion he was like yeah let’s go. I don’t you know he was too little too maybe a D. D. Didn’t want to sit there late. Probably not a good sc uh you know probably not going to be good at social engineering at least not that way. But then the other team member was just fascinated I think by the work that you were doing. Didn’t realize how much work actually goes into it.

[00:31:26] “Ben”: Yeah. Yeah there’s so much that you have to pay attention to when you’re doing reconnaissance. It’s I mean it’s a field in itself in the intelligence for sure. Industry. So it’s yeah, it’s reconnaissance is critical for everything. But yeah, after after a lot of recon we found a perfect timing point where we had the opportunity and locked in and they’re, the physical controls were very weak. So just simple bypass techniques started the attack for the attack jane and then we ran into some doors that were very properly hung so it couldn’t do physical bypass, didn’t want to do anything complicated like lockpicking. So we started going through and relying on human behavior. It’s like okay we’re in this area. What can we look for? What telltale signs do we have for where the sensitive information would be. Where would keys be for this facility and found him right away. One of the first places we looked and looked at the keys, looked at the brand of the door or

[00:32:37] Evan Francen: the president was an extra.

[00:32:39] “Ben”: It was an industrial. Look at the, look at the brand of the lock mash it up with the key that fit that brand. And first key We tried got us through two factor authentication doors with just the physical bypass on because

[00:32:55] Evan Francen: they have to have that for fire code right? You have to have a bypass. So secure your bypass.

[00:33:02] “Ben”: Yeah. If if the fire department comes they need to get in. Well they’re not going to have the badge and pin code to get through your two factor door. Right? They need the key for the building to get through that door. So as

[00:33:13] Evan Francen: not to store the key is in the in the desk drawer because there’s no reason for anybody else in the entire building to have that damn key. Right? I mean, usually you have that box, the firemen’s box on the outside of the building, Right? And that’s where the fire department would have the key to that and get the keys for everything else. Yeah. All right. So you use that to get in And did that get you all the way to the data center? All the way?

[00:33:40] “Ben”: Just, I mean, it’s it’s sound, it doesn’t sound very appealing. It’s like, hey, I used the key to get through the doors, but when you leave it out, right, it’s not secure. It’s just not secure enough and

[00:33:53] Evan Francen: why break down a wall when I can use a key. You know, I mean, it’s like the Attackers would use the easiest way in. They’re not going to go some sophisticated, well, some of them do, but the dumb ones, but they’ll get busted because they make so much damn noise. Yeah, wow. All right. So that’s that’s good stuff. Uh Social drinking is always interesting. I think people really enjoy social engineering stories because it seems, I don’t know, it kind of seems sexy. Slew the top secret kind of stuff. Uh Traditionally you haven’t done, you know much, I’ve only done it a few times myself and the, but not recently that nighttime surveillance the night time, uh, which I like because it’s easier to see through windows at night. Yeah, you know, it’s easy to see what lights are on, what lights are off, it’s easier to see movements within the building. So, you know, for people that are doing sc attacks don’t, don’t sell short the nighttime, you know, Rican,

[00:34:56] “Ben”: yeah, most, most buildings you to look at them in the day and you think, oh, I can’t see through those windows. It’s, well, it might not be, it might not be polarization designed to stop people from looking in. It might just be the tint, right, When the sun is down, the tint is useless, right? And when the cleaning staff is walking through the building night, as most of them do and they turn on the lights on the inside, you’ve got a clear view to the inside of this building, you know, the patterns, you know, the movements, you recon long enough and people are creatures of habit, you know exactly where people are going to be at any given time and you know when to move its.

[00:35:36] Evan Francen: That’s cool man, All right, so uh, you belong to it. This team here at fr secure called team ambush. That’s a damn cool team by the way, I love, I love your team, love you love what you guys are doing, um, anything new and exciting to share. I know there’s always something new and exciting to share with team ambush, but anything that comes to mind right now that yeah, you know, I went to kind of tell people about this cool thing, we’re doing anything like that right now. Um

[00:36:07] “Ben”: well we’re in preparation for def con his team and wishes going there. Um we were starting to create a lot more CTF challenges or capture the flag challenges which are for those who don’t know, it’s it’s more it’s any type of security challenge, could be physical picking a lock, it could be breaking through a web application or reverse engineering, a piece of malware. We’ve started really diving in and creating more of those for the team, cool to fill out our skill sets and one of the team members here made just absolutely just brutal reverse engineering challenge and it was, it was so complex and complicated and it was it was really cool to have a chance to try and go through that and trying to open it up and attack it and it took a long time but that just being able to make stuff like

[00:37:12] Evan Francen: That to three days. Oh

[00:37:14] “Ben”: yeah, it took, it took days and it was just the concepts behind it. Yeah, we’re amazing and I’m being intentionally a little vague about it because eventually the plans are okay, we’re going to open up and start helping other people learn. So we’ll give people access into some of the content we’re creating. No, it’s cool so that they can play with it too, they can try their hand at sea try and learn something because that’s that’s the biggest part about the CTS is when somebody creates something so challenging that you have no idea where to go. You don’t know the answer the payoff is in learning on the way to the answer right? So I trying to attack this this piece of programming that was written, I learned so much about reverse engineering and how these things work and what the math is behind some of this stuff. That was that was a major benefit and that’s why yeah that’s why we do these things so we regularly make challenges for each other on the team and pass them around and trying to improve our skill sets. So that’s

[00:38:24] Evan Francen: Cool. That’s a pretty cool team. It is and I’m fascinated with how much that team has grown just in the last 12 months. Uh It’s a very cohesive team, it’s so cool to see you guys working with each other really caring for each other building skill sets. Um I think there’s a heart in that team to even like you said, expand outside of the team, you know let’s help more people, we know we have a talent shortage in this industry, let’s get more people interested in this, let’s make it fun and the cool thing about C. T. F. Says they are fun. You know you obviously don’t give a challenge like the one you were talking about last week to a novice. That wouldn’t be fun. You know you have to kind of get them there right and start you know the simple flags and then you know keep getting more and more difficult. It is fun. It’s it’s like but it’s also time consuming. I mean uh I’ve seen and I’ve been invited to some of your CTF stuff and I just don’t have the time. I wish I did because you have to focus, you know what I mean? You can’t like Want to take 15 minutes and devoted to this flag. No, you know it’s going to take longer than that. You can’t just pick it up and drop it and pick it up and drop it very easily. So I commend you guys though for the great work you guys are doing. I know that there’s some cool services to that you guys are doing refining services making them better. Always striving to just do better. Right push the ball forward. So I love that. Now you mentioned def con so you guys will be out at def con you’re leaving on Wednesday? Right

[00:40:02] “Ben”: yep. Leaving Wednesday for def con there.

[00:40:04] Evan Francen: Ah And some I think some of our listeners have never been to defcon defcon is the world’s largest hacker conference, right? It coincides or it doesn’t really coincide but it’s at the same time are nearly the same time as black hat and besides is there as well. Uh so lots of backpacks, lots of weird looking people, you know, I mean if you’re not part of the culture right? You look at some of the things like what the hell is wrong with these people? You know, geeks, nerds. But then you also got people that are just, you know, they look, I mean it’s such a diverse culture. It’s really cool. So you’ll be at def con, this is what number year? Number 345. How many times have you been to def con now? This

[00:40:50] “Ben”: Will be my 4th year.

[00:40:51] Evan Francen: Gosh, twice man. So two years ago. So how many people do we have going? How many on team ambush is it eight

[00:41:01] “Ben”: This year? The team is cute. Yeah. eight people I believe are going on this encounter that wrong. Um which is way more than we’ve ever taken before. I think the first year we went we had four people.

[00:41:13] Evan Francen: Yeah that was back when will was on the team and yeah, I remember that And then um we have a couple going to black hat will probably show up but just to say hi and to you guys on at def con. So we got a total of 10 people I think going out to Vegas this week. I don’t get to go because I don’t know, I think I get in trouble. You know me and Vegas don’t fit very well. So I’m actually going to the luth uh to do some more writing but you know I’ll be cheering you guys on and you know I’m just excited that you guys do this stuff two years ago you guys took third place in the warlock games, capture the flag last year, you took second place and I know the team this year is like yeah we’re winning right? And so and I don’t think any of your competition is gonna be listening to the podcast. We don’t have billions of millions of listeners. But even if even if they do right it is a it is a challenge. You’re competing against other teams to do all these flags and they’re not just hacking flags. You’ve got physical attacks that you need to get through. Lockpicking you know maybe even other bypasses um as well as just kind of kind of weird stuff right all across the spectrum. So yeah I’m pretty confident you guys will come home with the crown. It’s gonna be really cool man. I can’t wait to to kind of tell the world.

[00:42:46] “Ben”: Yeah and it’s it’s kind of cool because out there for people who have never been to def con uh so the three the black hat defcon and B sides. Uh huh. A lot of people have started calling it hacker summer camp.

[00:43:00] Evan Francen: Yeah.

[00:43:01] “Ben”: Um Yeah we’re going to summer camp and in at def con they’ve got so many different capture the flags so many different cts. I mean I pulled a list and there’s a C. T. F. For every skill set and for teams that want to do a broad range and where you need a team to complete it. But there’s like car hacking cts it’s like capture the flag for heck this car right? There’s a lot of wireless ones. There’s a there’s the social engineering CTF which is pretty famous.

[00:43:38] Evan Francen: Chris had done he still lives with

[00:43:40] “Ben”: chris and Maggie leading it. I think this is their 20th year doing it.

[00:43:44] Evan Francen: That guy is amazing. Yeah he’s

[00:43:46] “Ben”: so much respect for him. Is that his 10th year can’t I should do that right I should have wrote it down but they’ve been doing it for a long time and they’ve that CTF is fascinating. It’s insane. Yeah

[00:43:58] Evan Francen: but it’s focused

[00:43:59] “Ben”: strictly on social engineering and extracting data that way. Uh The reason we like the warlock games is it has every aspect of security. So you do physical security there’s no scent, there’s malware, reverse engineering, there’s cryptography, try to crack passwords trying to do some oh sent for gathering more information flag. So it’s it’s a very in depth, very broad CTF that you need a team of people who work very well together and are good at a wide range of attacks and different competencies in order to really get through it.

[00:44:38] Evan Francen: So not only specializations but also overlapping specializations right? To kind of cover the gaps because the CTF isn’t like just like a two hour thing. I mean this runs over a number of days and I think it’s really cool to see how your team has assembled itself and scheduled itself. I mean you guys are formally kind of approaching it this time where, I mean you have some team members that you sleep now while the others are getting up, right? So you’ll have this overlap, but they also have to have an overlapping skills to write because I can’t pick up what you were just working on if I don’t understand what you were just working on. So it’s gonna be really cool. I’m super excited to hear the stories of when you guys get back and tell us, you know, and even if you didn’t get first, you will. So I shouldn’t say even if but uh just that the crazy experience that you guys get together, it’s such a good team building exercise, you know, the team is already, I think it’s just super cohesive, right? I mean this team is a tight and after def con, it’s going to be even tighter because some of these guys have never been to death counter if they have been to def con, they haven’t been the def con with this team. I’m super excited, ma’am. Yeah, it should be fun. You juiced. Oh yeah, so you’re leaving Wednesday when you get back?

[00:46:03] “Ben”: Uh sunday. Okay, yep, Okay,

[00:46:08] Evan Francen: cool. All right, lot. Steph con uh we’ll be looking for an update. Yeah, definitely. And, uh, in the middle, just saying, all right. So for the listeners now with this one guy, this guy that’s sitting across the table for me, Ben, we’ve talked about research, we talked about responsible disclosure. We talked about social engineering, talked about def con, tell me that’s not a cool life, man. It’s pretty fun. I know I’m telling you, uh, because some days, you know, you move into management, you know, which I guess is what I do. Um, you know, you don’t, you still get to do cool stuff. It’s just different cool stuff. You know, we were talking about that earlier this week. I love, I love the fact that you share some of the cool stuff that you’re doing with me because it makes me feel like I’m almost part of it. You know what I mean? It’s just, I don’t have time and it’s not my job to do that stuff anymore. But it brings back memories because I think we all, not all but a lot of us had a technical background. I don’t, I didn’t go nearly as deep or as specialized as you guys do. Otherwise I’d probably still be doing it, but it’s just, it’s super cool. So thanks for sharing with me and listeners. All right. We got some news this week and we got plenty of it. Um, uh, the, arguably the most talked about thing this week would have been the capital one breach. Um, you have a capital one card. No, no, I do. Uh and my wife actually brought it up to me. I heard about it first actually from her. So sometimes she’s watching security news more than I am. Uh and then she, she asked, well, are you worried? And I’m like, no, why? Uh all credit card. I mean if somebody does use my credit and I guess there is information that was allegedly stolen names, addresses, phone numbers, dates of birth, self reported income, uh, and credit card application data, which would assume would be social security numbers Alleged over 140,000, you know, social security numbers. But I’m one of the believers uh that my social Security numbers would have been compromised anyway. You know what I mean? It’s just not that big a deal anymore. The problem is the system itself is broken, Right? If one series of digits can have that much effect in my life, that’s, that’s a problem. And if I can use those series of digits either as authentication or without authentication, that’s also a problem. Right? So it’s just the entire ecosystem around social security numbers is it needs a complete overhaul. But I don’t think we’ll do that until, I mean just human nature. Right? Going back to human nature, I only do the things if there’s pain a lot of times people don’t use, especially on hard work. I’m not gonna put forth a lot of hard work if if I’m not feeling any pain right now, wait until I feel pain and then I’ll be like, well how did I get here? Mhm. So anyway, ah The capital one breach, it was disclosed almost 56 days ago last week because if if I’m talking on Friday because you and I were talking on friday, but the share the show airs on monday, it also to be last week, people here this right? See what I’m saying, I’m dealing with my brain. So anyway, this developer Seattle Resident and software developer. So I’m reading from TechCrunch if you’re interested. TechCrunch, the title is capital One’s breach was inevitable because we did nothing after Equifax. So it’s that’s not actually what makes it inevitable. It was inevitable because it was inevitable not because of Equifax. Um but here they have a suspect in custody already. They Page A Thompson Age, software software developer Seattle Resident used to work at amazon. Uh and then uh anyway had a W. S. Right? And had access to cloud services and eventually found his actually ter her way into this data. So it’s not really all that sophisticated and it’s not really all that exciting the way the attack took place. But it does raise some issues, it raises issues about cloud services, everybody is using some cloud services somewhere and so people will start questioning whether they can trust the developers working on behalf of the cloud services, I don’t know, I mean, at some point, you know, and I know that there’s a lot of talk in the industry now about this zero Trust model. Mhm. That’s great, but it it’s impossible. I mean, I did at some point, you have to trust somebody, right? And so and the thing is with people is I might trust you today, but you stabbed me in the back tomorrow, that’s how trust works, right? Um I mean, if you’re married, I mean, haven’t you built trust before and then lost it because you did something or you said a lie or something, you know what I mean? So trust isn’t like one of those black and white things, it’s only black and white with a computer. Mhm. It’s not black and white with people, you know, sometimes people do things, it’s like, why the hell did you do that? And they don’t even know why the hell they did it, but they did it. So anyway, it’s interesting, it brings up, I think it’s a little bit overblown, uh myself, I don’t know, what do you know about the capital in breach? Did you read anything about it this week, or you’ve been heads deep and uh

[00:52:10] “Ben”: I did read a little bit about it and I’m I’m kind of interested to hear more that’s coming out about what she did, and when she discovered it and it looked like she was trying to, trying to research this. Mhm. But instead of instead of stopping after finding something which in my mind would have been the responsible thing to do is say, hey, okay, there’s a mis configuration here. I can get in, I can see this data instead of stopping there and doing some responsible disclosure. She just pulled everything right? Were there there? You kind of draw the line where does did you really need all of that information to prove that you could access that information? You need to extract it all. Wasn’t

[00:52:58] Evan Francen: she bragging social media channels about her hacking this data,

[00:53:06] “Ben”: how to do it. It kind of goes back to what hacking used to be like in the movies where people would think, oh you hacked into this company, you took all their data and they took it to him and said, hey, I got all your stuff hire me. It’s like, wow, that that doesn’t work anymore. That’s not how things are. Now. Now if you try and do stuff like that, you’re just kind of showing that you don’t really have a strong moral compass.

[00:53:33] Evan Francen: Well in some of the things that you know, she was saying on social media to kind of prove that all right, very erratic behavior I think threatened to shoot up social media giant or a tech giant in California. I mean just a number of things, it’s like, yeah, I don’t, I think you might need some help and unfortunately through all of this, you know, there is some suffering because even if I don’t have to pay, you know, if there’s fraudulent and there’s no evidence that the state has been used, but if there was fraudulent charges on my credit card, I don’t pay right, I mean I get my money back, but there’s always a day of reckoning right? It Capital 1s not in business for losing money, so they’re going to raise rates so everybody pays then, you know, so it’s it’s interesting but I don’t know, Marcus hutchins remember him, mm. Yeah, so he uh he didn’t get jail time. Well he did he got the jail time just as time served when one year of supervised release. So for people who don’t know who Marcus hutchins is, he kind of got his claim to fame Because he discovered the kill switch in the Wanna Cry outbreak in in 2017, whatever, 1617. Um the this is an article from Security affairs, it’s Marcus hutchins sentenced to supervise, released, no jail For the expert. So he was found guilty of developing some malware. Kronos banking malware back in 1415 um found the kill switch hero, everybody loves Marcus and then goes to def con and gets arrested I think at the airport I think and so he’s not from the US, he’s I don’t think he’s a U. S. Citizen. Uh so he’s been stuck here since 2017, 2 years now. Uh and prosecuted under uh prosecuted for that Kronos banking malware that he developed. So I guess in one way it’s it’s sort of uh you know, I guess it depends on the side of the fence you’re on. Yeah. You know, you don’t have to serve jail, you know, any more jail time because it could have been much worse for him. Uh Or the other side where it’s like, well you broke the law, you created malware that caused a bunch of damage for a bunch of people and cost them money. You should pay a price for that, but then you offset well, he did find the kill switch for want to cry and probably saved us a bunch of time and a bunch of money. So I guess it’s just kind of like this conundrum of like, okay fine, because I don’t think he’s a bad guy. I mean, I don’t think, I think it’s a danger to society per se. So I don’t know, I kind of subscribe to the he kind of made a surprise. I’m happy with it. I don’t know. What do you think? Well,

[00:56:37] “Ben”: it’s it’s like with everybody and everything. I don’t see any one person as being just a good guy or a bad guy. Everybody is a shade of gray, isn’t that the truth? I mean everybody’s got their own stuff? Catch me

[00:56:50] Evan Francen: on a monday morning. So how good of a guy. Yeah,

[00:56:54] “Ben”: exactly, so it’s I mean that was in the stuff he got charged for was in the past as far as I understand it, It was a while

[00:57:03] Evan Francen: Ago. Uh 2014, I think.

[00:57:06] “Ben”: Yeah. And I mean who here can say they have never done anything stupid when they were a kid or this week or? Yeah, I mean you’d hope that as you got older you get a little wise,

[00:57:19] Evan Francen: I tell you something stupid. I did real quick. You know I have my beautiful Harley, right? Oh my God. So I pulled in, I pulled into uh uh Caribou coffee, had a caribou coffee meeting yesterday morning with Renee and I pull into caribou coffee uh and it’s a big, you know, it’s it’s an ultra classic, so it’s like billion pounds. And so as I pulled in, I well I don’t know why I wasn’t thinking, it was seven o’clock in the morning and I pulled too hard on the front brake as I was pulling into the parking spot, I lost my balance and put the bike down and I stood there and I looked at him like you have got to be kidding, what in the hell? I mean, how many times have I pulled into a parking spot on a motorcycle? So it was one of those stupid things, I just like you’re the dumbest person ever right now and then trying to lift that bike up. Oh and then I looked and the only thing I have is a teeny scratch about this big, so I was like, thank God you know, but I feel like a complete idiot, complete imbecile for who does that? I mean I’m a biker. Harley rider, man. Harley rider just drops his bike because you can’t keep it up anyway. So you talk about, yeah, what person hasn’t done something stupid? Uh

[00:58:41] “Ben”: Yeah, I mean there’s, I don’t have the court off the top of my head, but um especially with all the liars in this country, everybody,

[00:58:52] Evan Francen: they’re so far behind the times, aren’t they?

[00:58:54] “Ben”: Well, not only are they behind the times, but who here has never broken a lot. I mean there’s there are too many of them to really understand. You

[00:59:04] Evan Francen: broke the law coming in today, right? The speed limit says 55 you did you not go over 55

[00:59:10] “Ben”: you go over a little over and well there’s leniency in this stuff. That’s, I think that’s the main piece of this case, especially for him is you’ve got to understand the leniency in the law and okay, yes, some people drive under the speed limit and there’s one of the guys on the team always drive under the speed limit,

[00:59:30] Evan Francen: who serious? Okay, we’re not going to call me after the show, you have to tell me who that is, We have to teach them how to drive.

[00:59:36] “Ben”: Well, yeah, so

[00:59:38] Evan Francen: I get stuck behind him,

[00:59:40] “Ben”: it’s not going to be cool. So driving with him. It’s like man, we could, you know, we could becoming a little faster and no, no, no that’s fine and then I get behind the wheel and I’m going a little faster and you know, you wouldn’t have to worry about speed traps if you didn’t speed a little bit, it’s like, well okay, so I’ll slow down. Sorry go on to the speed limit again.

[00:59:58] Evan Francen: I’m always nine over.

[01:00:00] “Ben”: Oh that’s hi, I’m usually like Maybe five at the most.

[01:00:05] Evan Francen: Well yeah, there’s a whole story beyond that to uh

[01:00:09] “Ben”: but yeah, in in the case of Marcus, I mean okay, he did some things in the past. Yes. But because of that experience, because what he knows what he did that enabled him to stop a massive global potential issue and I mean you got to take that into account, you gotta have leniency in that case and be like, okay, you can’t always do the perfect thing and I who’s to say that he would have even known or had the ability to stop this if he hadn’t done that in the past. True. So you got to be, it’s always taking into account, gonna take everything into account, walk the middle path. Don’t be Too focused on one side or the other. Yeah, yeah, yeah, that’s my

[01:01:01] Evan Francen: take on that mine too. I mean I’m okay with, you know, I’m I’m more of a, I guess it depends on my mood. Some days I’m much more of a legal list than other days. You know, some days I’m more graceful. It’s like, you know, like it. But yeah, I agree. The last news item, which we’re not going to cover because we’re running out of time, but it’s not that big a deal anyway. If you want to, you know, check the link, you can go to my blog where the show notes are, but South African Power company battles, ransomware attack. The important part, there is just, there’s no system that’s immune from a ransomware attack and it can take down power to an entire city. Uh, so anyway, there you go. That’s how it is. Ben, huge Thank you seriously for joining me this morning. Uh, yeah, to me it was a great discussion. I’m sure the listeners will find it pretty fascinating to, and uh, always the last minute, you know me, I wing it a lot. Uh, and best of lucky luck to you and, and all the ambush, the team ambush uh, out at def con this week. I think you’re gonna have a great time. And uh, I really want to hear how things go. I want to hear the stories. I want to hear the whole low down. And also thank you to our listeners. Always thank you to our listeners. The podcast continues to grow and we’re grateful for that. Keep the feedback coming, Send any and all feedback that you’ve got to our email at un security at proton mail dot com. If you do give us something cool, we’ll be sure to mention it without your approval. Actually. We’re probably with your approval, but I’d like to do it without, and if you’d like to be a guest on our show or if you know somebody that we should have as a guest on our show, let us know. We try to make these things entertaining and educational as much as we can. And Ben, how can people reach out to you or do you not want people to reach out to you? It’s your prerogative. Um

[01:03:01] “Ben”: I think my my twitter handle,

[01:03:03] Evan Francen: is that okay for them?

[01:03:04] “Ben”: Yeah, that’s ok. So at mind flay, uh that will probably be in the show notes to. Yeah, I’ll put

[01:03:11] Evan Francen: it in there now. So it’s it’s M. One N. D. F. L. A. Y. F. L. Four Y. Got it. Yeah. And I follow you. You don’t you don’t tweet a lot. You’re busy doing other stuff.

[01:03:24] “Ben”: Yeah, I usually don’t tweet a lot. Um try and get some really interesting stuff out there or something that it’s kind of funny. I might tweet like uh yeah,

[01:03:33] Evan Francen: but but they can always connect to, you know, they can always follow you there and then dm you if they got something all right. Uh and again, thanks uh find us on twitter myself @EvanFrancen and brad at at brad. And I, even though he doesn’t deserve any new followers this week, because he didn’t do anything this week. Uh, anyway, that’s it. Have a great week. Everybody enjoy.

Responsible Disclosure for Security Breaches

In the latest installment of the UNSECURITY podcast, “Ben” joins Evan once again to give us the lowdown on what he has been up to lately and we take a deep dive into responsible disclosure. His latest project has been enlightening, to say the least.

About

Work with Us

Resources

Contact