#LetsTalkSecurity: Hacker Adventures
Let's Talk Security: Season 01 // Episode 02: Host, Rik Ferguson, interviews Hacker, Author, Speaker, Scientific Hooligan & VP at SphereNY, Jayson Street. In this lively discussion, they talk about the mind of a hacker and how to defend against it.
Jayson E. Street, Hacker, Author. Speaker, Scientific Hooligan & VP at SphereNY
This episode was originally streamed on Thu, 14-May-2020 to multiple platforms. You can watch the streams (along with the comments) on-demand on:
[00:05:30] Rik:: ...thing. So let me fix that. There we go [laughs]. The joy of live broadcast and uh, the wrath of the demogods visited upon us once again. Thank you very much.
This is Let's Talk Security. I'm Rik: Ferguson. Uh, it's difficult to believe that a week has gone by already since, uh, last week's great conversation with Katie. Katie Moussouris, uh, from Luta Security.
We have another fantastic guest for you this week. Um, I suppose like many of you my perception of time has been completely, uh, altered by lockdown and by the, the global pandemic situation.
Um, I guess that's why a week flies by. There's, uh, very little to differentiate day from day, uh, when we're stuck in, in the same place.
[00:06:14] I hope you're all healthy. I hope you're well, and I hope you're looking forward to today's conversation as much as I am. We have a great guest for you today.
If you've seen any of the promo materials you will know that that is Jayson Street. Author, uh, hacker, adventurer. Um, he's been, uh, a celebrated speaker at events, uh, around the world for many, many years. I've had the good fortune to meet Jayson in person.
Uh, but I've had the misfortune not to get, uh, an awkward hug from, from Jayson when I did meet him. Um, and I think the time has come for me to ask him live. Jayson, why did that not happen? Where was my hug?
[00:06:53] Jayson: I- I'm one of those guys it's like, where it's like you have to ask for it. It's like a, it's like a, I always hug my friends normal first. It's like, and then it gets awkward.
[00:07:03] Rik:: [laughs].
[00:07:03] Jayson: So it's like, uh, but, uh, awkward hugs are always available upon request. It's like so, so n-, so next time for sure.
[00:07:11] Rik:: So is that, is that still a thing? Are you still doing the awkward hugs?
[00:07:14] Jayson: I am still-
[00:07:14] Rik:: Because you have some great war stories, right, about, around that?
[00:07:16] Jayson: I'm still doing it for quite a bit. It's like it's been, it's been, uh, it's, it makes me more accessible I think. It's like, it's a good ice breaker for people who wouldn't normally come up to me and say, "Hey, I would like to talk to you."
But they go like, "Oh, no. He's a s-..." They go, "But I can ask for an awkward hug." And then they go and ask for the awkward hug and it's like and then, then we can start a conversation.
[00:07:36] Rik:: How did it start?
[00:07:36] Jayson: And that's one of the main reasons why I like it.
[00:07:39] Rik:: How, how did it start? How did you, how did you begin in doing that? [crosstalk 00:07:42]-
[00:07:41] Jayson: Oh, it started because of, uh, Meghan Woo. Uh, I think it was DEF CON '19, Meghan Woo was, uh, going into surgery I think. It's like she wasn't able to make DEF CON.
So I was like, "Well, I'm going to give out hugs in your honor. It's like and we'll..." I put 'em on Twitter. It's like, "Hey." It's like, "Here's a hug." It's like...
And I did different kinds of hugs then, but most of 'em that were, uh, uh, I think, uh, most appreciate were the awkward hugs.
[00:08:08] So, 'cause you know, Dan Kennedy, he started the hug movement. I just made 'em awkward. And so it's like, so after doing these awkward hugs and then, uh, and then after DEF CON '19 it sort of faded away.
And then, uh, and uh, besides, uh, Dallas, besides DFW, it's like uh, there was, uh, Wendy Nather, who was, uh, in the hospitals. It's like, so I was like, "Oh, well, I'll bring the awkward hugs back."
And that right then is where it took off. It's like everybody just, uh, we had a big group awkward hug. People just loved getting the awkward hugs.
[00:08:40] Rik:: It's a badge of honor now.
[00:08:41] Jayson: Huh?
[00:08:42] Rik:: It's a badge of honor now. Awkward hug from Jayson Street. That like-
[00:08:44] Jayson: Awkwardhugs.org.
[00:08:44] Rik:: Better than a con badge.
[00:08:44] Jayson: It's like I've awkward hugged Oliver Stone. Huh?
[00:08:50] Rik:: That's better than CON badge. Right? If you-
[00:08:51] Jayson: [laughs]. Yes, exactly.
[00:08:52] Rik:: [crosstalk 00:08:52].
[00:08:52] Jayson: I don't know [crosstalk 00:08:53]
[00:08:55] Rik:: That's why I'm distressed I didn't get one.
[00:08:56] Jayson: Huh?
[00:08:56] Rik:: That's why I'm so distressed I didn't get one.
[00:08:58] Jayson: Uh, yeah, I'm, I'm sorry [00:09:00] you didn't get one, but I, I-
[00:09:00] Rik:: [laughs].
[00:09:01] Jayson: ... will make sure you get one next time. It's like I, I plan on running into you again at some point, somewhere.
[00:09:05] Rik:: Uh, yeah. When the world gets back to normal. Speaking of back to normal and the world-
[00:09:08] Jayson: Yeah, yeah.
[00:09:08] Rik:: ... and the pandemic, how, how has lockdown been for you?
[00:09:11] Jayson: Uh, it's, um, I'm not one of those, uh, I'm one of those unfiltered guys so it's like, uh, I'll tell you straight up, not, not great. It's like uh, it's been pretty rough.
But, uh, I'm, I'm coping and uh, a lot of people have it harder than me. And so um, and that's not to negate what I'm going through or to belittle what everybody else is going through.
[00:09:34] Rik:: Mm-hmm [affirmative].
[00:09:34] Jayson: We're all going through our own things, you know, you know, by ourselves at one point. Or, we're with friends but we're still, we're having to, to face that, you know, this, these circumstances.
So I mean I'm adjusting. It's like I'm trying to cope with it. It's like I've, uh, I- I- I'm just trying to focus o- on what's important, which is, you know, being around people that you care about. It's like uh, uh, doing good work and uh, trying to make, uh, be of service to other people.
It's like I've been 3D printing a lot of uh, PPE gear for-
[00:10:06] Rik:: That's what it's for.
[00:10:06] Jayson: ... nursing homes in the area.
[00:10:07] Rik:: Yeah.
[00:10:07] Jayson: It's like, uh, and I've just been trying to like, uh, help out where I can. It's like volunteer to give talks.
It's like, uh, just trying to like, you know, I, I, I did the hashtag, you know, #SpreadSmilesNotCovid. So it's like, so it's like, I- I'm just trying to, to be a little bit of a beacon out here 'cause it's pretty bleak.
[00:10:24] Rik:: That's great. And you, and there, there was some, uh, I guess, like many of us you had events and attendances and talks and projects, uh, planned-
[00:10:32] Jayson: Yeah.
[00:10:32] Rik:: ... over this period. What's, what's been the impact on, on that side of things for you?
[00:10:36] Jayson: Um, that, oh, I wish you would r-, it's been the most brutal, to be honest with you. I should have been like in four different countries already. It's like, and I love to travel.
Ever since I was little, uh, since I was 10, it's like I just dreamed of traveling. And it's like, and, and it gets exhausting sometimes, but, it's what I always wanted. It's like, it was, this is a promise that I fuf-, I'm fulfilling for the promise I made to my 10-year-old self. To, to survive-
[00:11:02] Rik:: Mm-hmm [affirmative].
[00:11:02] Jayson: ... get through it, and it's like and, you could explore the world. And so I'm trying to do that. But, this year's been, I mean, I was supposed to go to like Dublin, which is like I've never been before-
[00:11:11] Rik:: Mm-hmm [affirmative].
[00:11:12] Jayson: ... and I wanted to go see. Uh, I was supposed to be teaching at, uh, bl-, uh, at Asia. It's, I wanted to go to Singapore.
It's like I was supposed to be in Moscow. It's like I mean, there's been a, a, several countries that I should, uh, I mean, it's just... I don't think I'm going any-, I think all, everything's getting canceled.
[00:11:29] Rik:: Yeah, yeah.
[00:11:29] Jayson: It's like, uh, I just got the thing from Copenhagen, uh, today, where they're going online which is good a- and some, and that's the other thing. That's the key thing though. That's good. That's important-
[00:11:42] Rik:: Yeah.
[00:11:42] Jayson: ... for the, the, community. That is important. They're, they're putting in the, the, imp-, the attendee's health and the speaker's health and the organizers they're putting the public good first before-
[00:11:56] Rik:: Yeah.
[00:11:56] Jayson: ... the conference. It's like the same thing with DEF CON, uh, being put [00:12:00] into safe mode with networking. It's, it's not being canceled, it's just we have to change.
We're hackers. We adapt. It's like, and so we need to adapt to make it safe for everybody. So and, and accessible for all. So uh, I, I can't be upset about that part, but I am upset about the expiration m-, I'm upset about-
[00:12:19] Rik:: [crosstalk 00:12:21].
[00:12:21] Jayson: ... being stir crazy and stuck in my place and not being able to go out and meet people and network and, and just talk.
[00:12:28] Rik:: What's been, what's been kind of cool for me, uh, is that what, what we've effectively seen is been like, uh, physical disaster recovery plan for the educational aspect of the information security industry, right?
[00:12:39] Jayson: Yeah.
[00:12:39] Rik:: We've been able to see... When I looked at my own calendar, what happened, uh, in the first month of, uh, you know, when lockdown kinda went global, I, my calendar emptied itself. All these things [laughs] were just like-
[00:12:50] Jayson: Right.
[00:12:50] Rik:: ... falling out of the calendar and empty. And I'm like, "Wow. I, I'm not going to have much to do that, that doesn't involve just reading and writing."
Um, and then, within three weeks it began to fill itself back up as all of these events kind of rebooted, uh, re-imagined themselves and moved to this online virtual format. And people are really learning as they go, but the events are still happening and the community is still-
[00:13:11] Jayson: Right.
[00:13:11] Rik:: ... coming together which is testament to, to the community as a whole I think, right?
[00:13:15] Jayson: Oh, e- exactly. It's like, it, it, leave it to the cr-... I mean, and it's just not even the hacker community, it's like, I think a lot of people are realizing that everybody has a little bit of hacker, you know, inside 'em. It's like, I mean, I've always said that you were born a hacker.
It's like that child-like curiosity, that child-like wonder, that child-like, "Yeah, this is what I'm told it's supposed to do but maybe I can do something different." And having imagine-
[00:13:38] Rik:: Mm-hmm [affirmative].
[00:13:38] Jayson: ... imagination that you can make it different. It's like, and so you see that adaptation with the classrooms going online. It's like-
[00:13:46] Rik:: Yep.
[00:13:46] Jayson: ... and you can, and so many companies are starting to realize, "Oh, I guess that could have been an email." You know? It's like [laughs], so it's like, it's like, so you're, you're seeing, it's like, "Oh, we did not have to have this open office space."
It's like, it's like, "We could have had work from home."
[00:13:59] Rik:: Y- you know some of the-
[00:13:59] Jayson: So you're seeing that adaptions.
[00:14:01] Rik:: I've seen things like, uh, even within Trend Micro. So one of the things, you know, it's like a pendulum, right. So when I said my, my calendar emptied itself, the pendulum's all the, all the way over here. It starts to refill, the pendulum is swinging back.
[00:14:12] Jayson: Right.
[00:14:12] Rik:: Um, it's things like using, um, tools like Zoom within the workplace.
[00:14:17] Jayson: Oh, yes.
[00:14:18] Rik:: I guess Trend is not the only company now, where it's certain groups within the organization have started to do like Zoom free Friday, for example. So we can actually-
[00:14:26] Jayson: Right.
[00:14:26] Rik:: ... get some work done.
[00:14:27] Jayson: [laughs].
[00:14:27] Rik:: And we're not spending time just sitting in, in video conference calls all day-
[00:14:31] Jayson: [crosstalk 00:14:31].
[00:14:31] Rik:: ... you know, compensating for the lack of, of a working environment. Anyway, you spoke about fulfilling a childhood dream, um, and traveling was part of that.
Uh, you have been involved in security in various guises for many, many years. Uh, I'm not insinuating that you're old, uh, but you're old. Um-
[00:14:47] Jayson: It's been 30. [laughs].
[00:14:49] Rik:: [laughs]. Seriously, you've had, you've had a long and storied carrier. And, and you, you know, if you go look at your Linkedin for example, uh, you started out, effectively, in security anyway, you started out in sort of network security, admin-type roles. Is that right?
[00:15:01] Jayson: Uh, network security administrator.
[00:15:03] Rik:: Yeah.
[00:15:03] Jayson: They let me choose the name, and I wanted NSA. So it's like [laughs] network security administrator.
[00:15:08] Rik:: [laughs].
[00:15:08] Jayson: I was the NSA for the company.
[00:15:10] Rik:: And it's been a good 20 years, right?
[00:15:12] Jayson: Yes.
[00:15:13] Rik:: So you've seen a [crosstalk 00:15:15]-
[00:15:14] Jayson: No, no. Yes. I started in 2000. Uh, is when I first got my first job in, uh, information security at an internet-only bank.
[00:15:23] Rik:: And it's from, from my experience that the, 2000 was kind of a, I started a little before that. So I saw, you know, the era of Melisser and Love Letter and Blaster and all of those old, you know, the, the, the m-
[00:15:36] Jayson: The Help Net guys.
[00:15:38] Rik:: Yeah.
[00:15:38] Jayson: The Help Net side. Yeah. [laughs].
[00:15:39] Rik:: Totally. That's where I was. Totally.
[00:15:41] Jayson: Yeah.
[00:15:41] Rik:: Um, so, how did your r-, 'cause I know my career has taken all kinds of weird twists and terms over time. How did yours evolve over time?
'Cause I know that you were doing the network security admin stuff, uh, but at the same time you were doing the Hacker for Hire stuff. Um-
[00:15:56] Jayson: Right, right.
[00:15:56] Rik:: ... so how is that... And, and, and like I said, 20, no 2000 was kind of a pivotal year in the, the, the, transition from, uh, you know, things like Melisser and Blaster to cybercrime as a, as a business model and as a global phenomenon.
So how have you, did you see your role evolve, evolve over time? What are the, the important tectonic shifts that you've seen across time?
[00:16:17] Jayson: Uh, I think one of the biggest shifts that you've seen change in uh, information security is uh, the different ways that we looked at the, uh, the role-based. It's like, it's like before it was all about the perimeter. It's like, I mean back in 2000 it was, you had to have the firewall.
You had to have the perimeter. You had to have everything locked down 'cause everything was coming at you. And I think now it's evolved to the point we realized what perimeter.
It's like every endpoint is a perimeter now. It's like every endpoint has to be protected because you don't know where that endpoint is anymore. It's no longer within the confines of your firewall or your, your, your castle. It's like a...
A lot of medieval references for some reason. But it's like, but you know it's like, it's, it's all there.
[00:17:09] It's like, you know, it's like, and, and we, we've talked, I mean you've heard so much. It's like in all these different ways, you know, it's like, uh, security's like, uh, an ogre.
You know, we're, we got layers. It's like, well, the same thing with the, the layers is the um, we, we're understanding that that's not even the case anymore. It's all compartment.
It's all compartmentalized. It's all going to be where um, you can't trust this part of the network because it goes and it has extranet connections to other partners that may not have the same security model as you do.
And so we're having to learn and go from being one big homogenous, uh, group that's protected under this one shield to being, "No we have to start making sure the encampments are, are protected as well, at, even with, with inside the walls."
[00:17:56] Rik:: And of course you've got complications from, uh, public cloud environment [00:18:00] and, and, uh-
[00:18:00] Jayson: Oh, yes.
[00:18:01] Rik:: ... evolutions within that architecture as well. The way that we actually, uh, design and build going from infrastructure as a service to containerization and serverless environments.
All of that kind of being drawn together. We have a, we have a question-
[00:18:13] Jayson: [crosstalk 00:18:14].
[00:18:13] Rik:: ... um, that came, uh, from YouTube, from David Burn. He is asking, "What is the, the first thing that Jayson hacked?"
And I guess this is going to be um, down to your interpretation of hacked, 'cause I know that you [crosstalk 00:18:26]-
[00:18:26] Jayson: Well, exactly. 'Cause there's, there's two-
[00:18:27] Rik:: ... right?
[00:18:28] Jayson: Yeah.
[00:18:28] Rik:: What's the first thing you hacked and why? That's the question that came in.
[00:18:31] Jayson: There's, there's, I'll give him two different options. The, the, the true answer for a hacker, uh, of, uh, because I believe, like I said, I firmly believe this.
Like we, we generalize too much in saying that a hacker is just got to be a computer, or it's just got to be about security, or... That's not just hacking. It's like so, my first hack was when I was five years old, uh, and I hated Hot Wheels.
Uh, I didn't like cars that much back then. It's like, I liked spaceships.
[00:19:02] And so uh, my mother, not caring, uh, decided, "Well, no, this is what you get because you're a boy. You get cars." And so, 'cause she did not know how to handle boys so she was like, "You get cars."
So I hacked 'em and by taking the wheels off and modifying them, sometimes with glue or sometimes with like tape or something like that, and I turned my cars into spaceships. It's like, uh, or hover cars.
It's like, so it's like, these are now my spaceships. So I'd take all the wheels off and it's like I made them mine. And my second hack-
[00:19:35] Rik:: I have full sympathy for that, because-
[00:19:36] Jayson: Huh?
[00:19:36] Rik:: I have full sympathy for that story. One of the things that I'd got as a kid was a, in the US I think you call it a foosball table. We call it table football. Foosball, right?
[00:19:44] Jayson: Right, yeah.
[00:19:44] Rik:: T- tur-, right. So I got one of those. I hate football. I'm just, you know, I, if it's got to be a team sport it's always gonna be rugby. I'm just, I'm not a, a soccer fan by-
[00:19:52] Jayson: Right.
[00:19:52] Rik:: ... by any stretch of the imagination. But I got, 'cause I'm a boy, I got a table football thing. So uh, I left it in the box but I turned the box over and I used a, a big Sharpy, a big marker pen to draw all of my spaceship controls on the back of the box. It was [crosstalk 00:20:05]-
[00:20:06] Jayson: No. There you go. Same thing. That's the way it works.
[00:20:09] Rik:: [laughs].
[00:20:09] Jayson: And my uh, my uh, my second hack was, my first computer hack was 311. Uh, it had the pro-, that's how, yeah, back in the ancient days it's like, uh, there was a program manager.
It's like, uh, in 311 and there's like all these little groups and so what I did was I took all the icons, uh, changed them, uh, to fantasy characters. Uh, one Army of Light, the other, Army of Darkness.
And I literally turned and took all the program managers out and changed the way the gooey looked and it's like, and I made them looking like they were facing a battlefield.
[00:20:49] Uh, and so if you wanted something you had to click on the knight or you had to click on the dragon or the castle. Uh, it's like, or one of the elves. It's like to, uh, a- access a program.
And then I, I did a lot of gooey hacking more than I did any kind of, any other kind of hacking, uh, back in the day. 'Cause I liked changing things and making 'em look not what they're supposed to look like. So it's like-
[00:21:09] Rik:: Yeah.
[00:21:09] Jayson: ... so my, my Linux looked like Mac, my Mac looked like Windows. Uh, that kind of thing.
[00:21:14] Rik:: Yeah, I used to do similar. I used to, whenever I was forced to use a Windows machine, I used to try and make it look as much as I could like a, like a Mac desktop. [crosstalk 00:21:21].
[00:21:22] Jayson: Oh my god. [Light Step 00:21:23]. I'm sorry. Light Step.
[00:21:24] Rik:: Yep.
[00:21:25] Jayson: I loved Light Step., uh, .exe back in the day. It was like, it was like a complete shell replacement, and it's like you could use it like Light Step Linux. I loved it. [laughs].
[00:21:33] Rik:: So we, we, spoke about the Hacker for Hire stuff, uh, that that was running concurrently with your, uh, more traditional role if, if, if you like.
[00:21:40] Jayson: Right.
[00:21:41] Rik:: Um, and, and, for a long time. What, what did that involve? That was, this was pre, as far as I understand it, so this is your story-
[00:21:48] Jayson: Mm-hmm [affirmative].
[00:21:48] Rik:: This was pre, um, mostly pre-social engineering side of things, right?
[00:21:52] Jayson: Yeah.
[00:21:53] Rik:: Hacker for Hire was more a traditional [pentesting 00:21:54] type operation?
[00:21:55] Jayson: Yes. Um, what I decided to do, um, I worked for a bank that was extremely, uh, tolerant and lenient for my weirdness. Uh, and, uh, one of the best things I, I, firmly believe, you can't be a good Blue Teamer. uh, or a defensive person unless you really can fully understand how you're going to be attacked.
It's like how real-world attacks happen. And so I started, uh, back in 2006, it's like I started trying to do the testing side because I wanted to not build defenses like an honest person was gonna build 'em or like you know, 'cause locks keep honest people out. It's like, and it's like, I wanted to build defenses like they were going to be attacked.
[00:22:43] So I would always put, every one of my defenses were made in mind of me being the bad guy. I'm trying to rob you. It's like how would I stop me from doing this?
And I had that mindset even when I was doing physical security, you know, 30 years ago. It's like I would always have, when I went to a new location I was like, "No there should be a security camera right there. Or there should be a, a guard placement here."
It's, I mean I would look to see. It's like, "How would I rob you? How would I actually do something bad? Let's make sure we protect against those." Uh, so I started doing that.
I started doing, um, uh, pen test job, extra jobs and consulting work and subcontracting work for companies, uh, doing network-based penetration testing.
[00:23:27] Uh, and I wasn't the greatest. It's like, I got to be honest. It's like, uh, I was-, I wasn't the greatest at it. It's like, uh, usually most, uh, use a lot of tools. It's like, uh, I did some things that were innovative.
It's like I did some things that were like out of the box, it's like, from, uh, from manual. But 90% of it was gonna be, uh, it was scripted. I was, I was, I'm very, I have bad self-esteem and it's like, I, I have a lot of confidence issues. So it's like I was like, I didn't think I was ever going to be that good at it.
[00:23:52] Rik:: Mm-hmm [affirmative].
[00:23:53] Jayson: Uh, and then back in 2000, 2010, 2009, uh, I started getting [00:24:00] more involved in the physical stuff.
And that's when it clicked that I could use my physical security experience and use it on the offensive side. And so, and, and so now it's like, and I realized, I'm really good at robbing people in person. It's like, sort of, uh...
[00:24:16] Rik:: It's like a, a weird skill to discover, right? You suddenly [crosstalk 00:24:20]-
[00:24:19] Jayson: Exactly.
[00:24:19] Rik:: ... "Oh, wow, I can do this?"
[00:24:21] Jayson: Yeah. It's like, and so I, I tell people it's like, "I don't know, I don't have to fully understand or know how to do a SQL injection or your website. I mean I know, but I don't have to know that if I can walk into your server room and steal your SQL server.
I've gotten all your databases. I don't have to drop anything. It's like they're going out the door with me." So-
[00:24:44] Rik:: Do you remember what, what drove that, um, that awakening or that, that awareness t- to refocus your efforts? Was there a, was there a turning point or a tipping point?
[00:24:55] Jayson: Yes. There, there, there was a... This is also once again, getting too real. There was a talk by a guy, uh, who I was inspired by, uh, and it, it made want to get involved in it.
He, he turned out to be a major a-hole and it's like, uh, and thought I was like, I was like, "You're stealing my work." I said, "No, I didn't steal your work. I was inspired by your work."
[00:25:15] Rik:: Mm-hmm [affirmative].
[00:25:15] Jayson: "I just can't help that I'm good at it. Don't get mad at me for that."
[00:25:17] Rik:: [laughs].
[00:25:18] Jayson: Okay [laughs], it's like, it's like, so but, uh, I uh, but he, he did. It's like, and that's what I like. I've seen other people who give talks that are like similar to mine and I feel happy about that, 'cause it's like I inspired them to do better and that's great.
It's like that's, that's what you're supposed to be doing here. You're supposed to not have everybody just emulate you. They're supposed to like do better than you. They're supposed to go and, and, do their own take and go their own direction with it. It's awesome.
[00:25:42] Uh, so, I, um, I, I start, I saw that and I was like, "Well, I want to do this. This is what I want to do." And I started doing it, and I just started going out and the bank once again being tolerant of me allowed me to, to do some of that to them.
And it's like, and go out and do it to others. Uh, and that's when it took off. It's like and I started getting more and more involved in that part of it and I realized that I could never be a good [Red Teamer 00:26:07]. Red Teamer's all about compromise and exploit.
Uh, I wanted to be about education.
[00:26:13] So, uh, about five years ago I started, uh, I stopped doing any kind of Red Teaming kind of action and I did security awareness engagement where I would literally go in and I would do all the Red Team kind of activity.
Uh, I would break-in, I would plug in the rubber duckies, or it's like uh, the wifi pineapples. It's like, "Now I'm using the bash bunny and the new, the new key [croc- 00:26:35]
[00:26:34] Rik:: Mm-hmm [affirmative].
[00:26:34] Jayson: ... from, uh, [Highfive 00:26:36] which is amazing, but that's another story. But it's like, so it's like I started using these tools, uh, to show where the potential threat is. I'm not putting in exploit, I'm not running code on their machines.
I'm not, uh, stealing their data. I'm doing a demo. It's like I'm, I'm bringing out awareness to 'em. So therefore, they don't feel betrayed. It's like, and then I could educate them after I leave for two minutes and I [00:27:00] come back and then I educate them on what they did wrong and how they need to be aware of people like me.
[00:27:06] Rik:: So I'm going to come back to that in a second-
[00:27:08] Jayson: Okay.
[00:27:08] Rik:: ... because that's one of the l- line items that I had definitely said, "We need to talk about this." 'Cause I agree that that's a, that's a critical part-
[00:27:15] Jayson: Right.
[00:27:15] Rik:: ... [crosstalk 00:27:15] the security game of any individual or organization, right.
[00:27:19] Jayson: Right.
[00:27:19] Rik:: I mean at the end of the day when, especially when you're talking about social engineering, it's effectively down to individuals m- more so than organizations at the end of the day.
[00:27:26] Jayson: Right.
[00:27:27] Rik:: Um, but our first, I wanted to, um, give you a chance to... 'Cause one of the things I, the expressions that I used in a tweet, uh, earlier on today when I was saying, "Make sure you don't miss this broadcast because..."
And now I don't want to let people down, uh, I said that we would talk about extrication from sticky situations. 'Cause I know that that has-
[00:27:48] Jayson: Yeah.
[00:27:48] Rik:: ... happened to you. [laughs]. Now, you can edit the names as much as you have to and as much as you like, but I know that you've, uh, as a part of your professional engagements, been in some very interesting situations and I'd love to hear a couple of war stories about um, you know, what did that involve, where were you, what were you doing, what happened, and, and how did you get out of it?
[00:28:07] Jayson: Okay. Um, I'll, I'll share a couple. Okay. The first one which is like the elephant in the room, 'cause everybody, is one of the first things everybody refers to.
Yes, I accidentally robbed the wrong bank one time. One time, in Beirut, Lebanon.
[00:28:22] Rik:: Everyone does that.
[00:28:23] Jayson: And one, and I, who, who hasn't made mistakes before on the job? I'm not perfect. It's like, who hasn't robbed the wrong bank before? So um, that was intense, uh, and uh, unfortunate.
Uh, it was a word I used. I actually uh, episode six, the Dark Net Diaries goes into that very well. Uh, and Jack Rhyder did a great, uh, uh, job on telling that story. So I won't, I won't bore you with that one again.
[00:28:50] Uh, another one, uh, which was really good, was uh, in my uh, not so, uh, paid professional aspect, uh, droning has gotten me into trouble a couple times.
Um, and one of my favorites was I was in, uh, at the, uh, Cape, uh, in South Africa, uh, in Cape Town. It's like and I was at the Cape of Good Hope or Cape, Cape Horn... I don't... The very tippy-tip-tip of, of Africa. It's like right there.
[00:29:20] Rik:: Yep.
[00:29:20] Jayson: Uh, and, uh, and I decided to go droning, uh, because yellow. Uh, and my drone happens to be maybe slightly hacked, thank you KF, uh, where it's like a, it disregards no-fly zones.
[00:29:33] Rik:: Mm-hmm [affirmative].
[00:29:34] Jayson: So I never really know when there's a no-fly zone. I just don't know. It's like is, was this a no-fly zone? Well, there was one time in Beijing where... But I'm not going to go into that one.
[00:29:42] Rik:: [laughs].
[00:29:42] Jayson: But it's like, uh, it's like [laughs], it's like, but I did not know there was a no-fly zone. So, um, so I'm flying my drone and all of a sudden these two park rangers come out and you're like, "Oh, wait, I don't know if I can..."
[00:29:59] Rik:: [laughs] You've gone too far to stop now. We know where you were and we know what you were doing.
[00:30:03] Jayson: Crap. Okay. [laughs]. Okay. So I, I may be, I may be [laughs] admitting to a, to a felony.
[00:30:08] Rik:: [laughs].
[00:30:08] Jayson: But, okay, so it's like so, so these two park rangers come back, who I don't know who they are, and it's like and this was all innocent to me.
So I'm, I'm putting that out there. And so they come like, "You're going to jail now. You come to the, you're, you're going with the police. You're, you're, you're going to jail."
And I'm like, and I'm like, "What's going on?" It's like, "Oh no, I'm, I'm a very responsible droner." It's like, "I did not know." It's like, "Let me..." And I literally, technically I did not see the sign. It's like, uh, before, 'cause the, the, the tour business I was on, it didn't, it wasn't in eye view the, the sign.
[00:30:38] So I didn't know that this was a no-fly zone. It turns out there were sign police. Who knew? Um, it's like, uh, I ran into that problem at the great wall. But it's like, but yeah, so it's like, I did not see the signs. It's like, how is that my bad?
Uh, and my, my drone flew. Uh, and so I'm talking them out and it's like, and so they're like adamant and then they're like taking so much time. And I'm like, and as I'm dr-, I'm bringing my drone back, I'm, I'm driving it backwards so I can still get a good view [laughs].
[00:31:03] Rik:: [laughs].
[00:31:03] Jayson: It's like as I, as I'm flying back. It's like, and then I landed. And my friend she, uh, she quickly absconded. She was like, uh, "Police, I'm out." You know, it's like so, uh, she, she was out of there-
[00:31:15] Rik:: "Not my drone. Not my probably." [laughs].
[00:31:17] Jayson: Yeah, exactly. A-April doesn't do crime. So she was gone. It's like, uh, so I was like, "Thanks for the backup." Uh, and so [laughs], um, I realized they were taking a long time so I realized what could solve the situation.
And in my naivete and my, just honest to, to be a public a, a, good public citizen I just said, "Hey, I'm very under time constraints. It's like, and I do, I should pay for my actions. It's like this was wrong.
So if I could pay the fine right now could we just not have to worry about calling the police?" It's like, "I'm willing to pay the fine now. Here's three, four hundred grand." It's like, "Let me pay the fine." And so I was able to pay the fine there.
Luckily, it's like it was very official. It's like they were official people-
[00:32:03] Rik:: Yep.
[00:32:03] Jayson: And I was able to, uh, pay the fine and then leave. [laughs].
[00:32:06] Rik:: And, and, and I guess a lot of your experience from, from your physical, uh, pentesting exploits probably came into play that [crosstalk 00:32:14]-
[00:32:13] Jayson: Oh, yes.
[00:32:14] Rik:: ... the situation calm, keeping yourself calm and thinking of-
[00:32:19] Jayson: Oh, exactly.
[00:32:19] Rik:: Pre-planning escape routes right, as you're, while you're talking.
[00:32:22] Jayson: Oh, definitely. I've been in, I have wandered into a lot of unusual places, uh, when I'm traveling, uh, just to like... Oh, one time it's like, and I'm, I'm gonna go with this one 'cause it's like, it's been like over, uh, over ten years I think.
I think we're good. Uh, so I was in the museum of Cairo. It's like in Egypt, the museum of Egypt. It's like a, and, and it was the big one. And I had a, a, video recorder pin on me, and a video recorder watch and a video recorder f-...
And it was so funny, 'cause there's no photography allowed in the museum. It's like-
[00:32:53] Rik:: Yeah.
[00:32:53] Jayson: ... and for the record, I did buy the book, I did buy the, the museum book, 'cause that's only thing they want you to, they don't want you to do flashes and they don't want you to like, uh, take pictures so you can go and, and not have to buy their, their souvenirs.
I bought lots of souvenirs. So I supported, I supported the museum.
[00:33:09] Uh, but my speaker friends were with me as well. It was a, it was a speaker tour from the conference uh, uh, that held the, the conference, uh, we were at.
And so, they were coming up to me going like, "Jayson, look over this way." They wanted me to take pictures with my watch, it's like so I could like do it. So they weren't being very subtle at the fact that it's like that I had all these options.
So it's like, so I'm like, but I'm like just walking around and then I g-, I finally, it's like it turned out that the, uh, the uh, the tour, it's like at the very end was the, um, whatchamacallit? King Tut, the Tutankhamen exhibit. And-
[00:33:47] Rik:: Mm-hmm [affirmative]. Yeah, yeah, I know what you mean.
[00:33:48] Jayson: And those freaking people in Egypt, they keep all the good stuff to themselves. Any tour you've seen of Tutankhamen and you've seen museum tours somewhere else, it's nothing compared to the one in Cairo.
That's where the good stuff is. So I was already out of battery of my pin and my watch so I've got my flashlight and I'm holding it up, [laughs] and it's turned off, of course, 'cause that would be bad. I've got my, and I'm hold-, and the guard comes up to me and he's like, "No, no light. No light."
And I'm like, "Oh, don't worry. I'm not turning the flashlight on."
[00:34:16] Rik:: [laughs].
[00:34:16] Jayson: [laughs]. It's like so, so I get all these pictures.
[00:34:19] Rik:: "I'm just holding it."
[00:34:21] Jayson: Yeah, exactly.
[00:34:24] Rik:: "I'm just [crosstalk 00:34:23]." Yeah.
[00:34:24] Jayson: Exactly. It was like, so that, that was a good one. So yeah. I've gotten into some, some scrapes like that. It's like a, and, and a couple run-ins with some other places, uh, and some other people that I don't even wanna get into publicly.
[00:34:36] Rik:: [crosstalk 00:34:38]. When I, when I said, "Let's do some of these war stories." This is what I wanted to go back to. Th-, what you talk about in the context of these type of events and engagements is you talk about creating a teachable moment.
[00:34:49] Jayson: Yes.
[00:34:50] Rik:: What is that?
[00:34:52] Jayson: Um, bank tellers. If a bank robber comes in with a ski mask and a shotgun, they're usually gonna have a very bad day. And why is that? Because the tellers are trained expecting and learned how to respond to that kind of event.
There are no stupid users, ever. It's like uneducated users, always, it's like is the problem. It's like, so when you train the tellers that sometimes the threat's gonna be a guy in a suit and a USB drive, that's when you get that extra security.
[00:35:32] Rik:: Mm-hmm [affirmative].
[00:35:33] Jayson: We've been just training them about the ski mask and shotguns when they need to learn about, you know, the, the U-, the suit and the USB drive. It's like so that's what I do. I give 'em that moment. I give 'em the moment where they get to learn, "Hey this is what else can happen."
It's like, it's just they don't, it's not their job to understand all the different ways they can be attacked. That's a responsibility of the security department. Security departments for too long had been [00:36:00] lazy and bad, basically, by just saying stupid user clicked on a link.
[00:36:05] Rik:: Mm-hmm [affirmative].
[00:36:06] Jayson: Stupid user, uh, did, uh, went to a website. Stupid information security didn't properly train their users. It's like, and so that's what I provide.
I provide that real-world example so now the employees can get it. They can make that connection that, "Hey, this is what's going on-
[00:36:23] Rik:: So-
[00:36:23] Jayson: ... this is what needs to work."
[00:36:25] Rik:: That's got to be kinda delicate and, and, and I'm sure there are a lot of organizations out there who would like to, uh, begin to think about how they can create those teachable moments themselves for their employees.
Um, it, it must be, uh, and I know for example, a lot of companies do, uh, phishing exercises, right, phishing simulations.
[00:36:42] Jayson: Right.
[00:36:42] Rik:: They're real low-level kind of version of that sort of thing. Um, one of the things that you have to deal with as a trainer, if you want to use that expression in, in those circumstances, is the reaction of the person being trained.
It's got to be a pretty delicate situation. So how do you, how do you stop them feelings like an idiot? How do you stop them feeling to blame? How do you turn it into a positive?
You know, a, a situation where they have basically fallen for something and they're sitting there feeling maybe a little bit stupid, how do you turn that into something positive for them?
What, what do, what do organizations and individuals need to do to create a training that, that doesn't alienate the people that they're trying to train?
[00:37:25] Jayson: Yeah. This is true. I actually, uh, I taught a class. It's like uh, it's like, uh, Code Total Blackout with, uh, April Wright. It's like on, uh, creating a security awareness training program.
And one of the key things that you focus on is always the positive reinforcement. It's like we've done so much on the negative, like, "You could be terminated or you could be fired if you do that."
Why aren't we, whenever I do an engagement I have never recorded a person's name. I've never recorded a person's name who's failed. But I always, I always get caught.
That is one of the key things. If I have not gotten caught by the third day of the engagement by an employee doing the actual good job, I will deliberately go out of my way to lessen my, uh, my uh, threat it's like and try to be more obvious. And I keep being more obvious.
[00:38:16] I was so obvious one time to where I actually had to unplug a desktop uh, server, that was behind the teller line of a bank that was being used, and then walk out the door with it.
And as I was actually walking almost out through the teller line before the employee decided that he should question me why I was taking it. And as soon as he questioned I was like, "Oh, you got me. Good job. What's your name?"
[00:38:39] Rik:: Yeah.
[00:38:40] Jayson: "That was the way you're supposed to do it." Always give them a win. And we need to start-
[00:38:45] Rik:: Okay.
[00:38:45] Jayson: ... making it competitive. It's like, users don't care about security. It's like it's an inconvenience until you make it something about them. If you report a suspicious email, you get one entry into a quarterly lottery that you get 1000 dollars or 1000 euros or, or, or some kind of prize.
You get this 1000 euro prize, or 1000 dollar prize, uh, every quarter. And the more times you do a report or you report something or you do good behavior, guess what? That's how, how, another entry you get into win that lottery. And it's not the same kind of like, not all the things [inaudible 00:39:26].
If it was an actual phishing comprise, that's like 10 points. That's 10 entries. It's like, if you stop someone that was trying to, uh, piggyback behind you, that's like five entries. It's like-
[00:39:39] Rik:: Yeah, 'cause there are few things that are, that are really uncomfortable to do right. Even, even when you, you know, you've been in the game for a long time, there's something that almost go against every aspect of socialization that we learn about being helpful, being friendly, being polite.
You know, you're taught from, from a very young age to hold the door open for the person behind you. You don't let it slam in their face, and then-
[00:39:58] Jayson: Right.
[00:39:58] Rik:: ... for security purposes within an enterprise environment it's absolutely not what you can do because of things like tailgating.
So when I was talking about that kind of mindset in a, in a presentation, I think it was last year actually, and I was saying the kind, the two most important things to my mind anyway that you, and I'd be really curious to hear your, your perspective on this, 'cause this, this is your area of specialization.
[00:40:18] For me the two most important things you can do, one is, and I was talking actually with reference to, um, a- attacks like business email compromise, which don't really rely on, um, malicious files or, you know, traditional malware type of attacks.
They're more about, you know, you've got to compromise someone's email account, sure. But, once you've done that it's about creating believable emails to get someone to make a financial transfer. That, that kind of stuff, right.
[00:40:41] Jayson: Right.
[00:40:41] Rik:: And for me the two most important things were empower your employees. Make sure everybody knows that they have the absolute right and they will be supported in saying no.
[00:40:50] Jayson: Right.
[00:40:51] Rik:: Even to the CEO. If the thing that they're being asked to do is going outside of policy or procedure they have the full right and are expected to, even to the CEO, say no. And make sure you empower them to be able to do that.
[00:41:03] Jayson: Uh, 100%.
[00:41:04] Rik:: [crosstalk 00:41:05] position or authorities gonna be a, gonna be, uh, gonna be a thing. Um, and, and, and the second is to create a mindset within all of your employees that you, you are a part, personally, whatever you do in the company, you're a part of that defense.
[00:41:21] Jayson: [crosstalk 00:41:22]-
[00:41:21] Rik:: And, "If you want to get to my company, you've got to go through me first."
[00:41:25] Jayson: Yeah. Right.
[00:41:26] Rik:: And for me, if you can do those two things you've gone a long way to mitigating a lot of those human-centric threats within an organization. Is that right? Am I way off base?
[00:41:35] Jayson: No, no. Th- that's gold. That is what I have been preaching, I mean like literally preaching for years, for decades. It's like the, the key thing is day one of your job you need to understand from the mailroom to the CEO, you're part of the security team.
Your job is to make the widgets and secure the widgets. Your job is to market the widgets and secure the widgets. It's like, it's always about, there's a security factor. It's like this, it's like we hire delivery drivers.
We don't, you don't ever hire a delivery driver, give 'em the keys to the van and say, "Okay, well, we hired you. You must know what you're doing. You can go off on your own now."
[00:42:13] Rik:: No.
[00:42:14] Jayson: No. You explain to them. It's like, "Hey, these are what our rules dictate. It's like, and you have to wear your seatbelt, you have to use your turn signal."
Those are all security devices. It's like there's airbags in the vehicle for security, it's like there's a car alarm for security. These, you give them all the security tips what you're d-, why not with the computer?
It's like that's part of the job is that they need to understand how to secure what they're working on, not just do the work on it. And what they, they don't realize that's part of their job responsibility then they don't care.
[00:42:47] Rik:: Yeah.
[00:42:47] Jayson: Because they're only doing what's re-, what, uh, like humans, it's human nature, they're doing the, what they need to do to get paid.
[00:42:57] Rik:: [crosstalk 00:42:57]-
[00:42:57] Jayson: And if that's not, if that's not explained to them-
[00:42:59] Rik:: [crosstalk 00:43:00]-
[00:42:59] Jayson: ... then they're not going to do it.
[00:43:01] Rik:: What, what they need to do, to do someone a favour. They're doing things like what they need to do to be helpful or friendly.
[00:43:06] Jayson: Yeah.
[00:43:06] Rik:: This is all, all, it's part of being human, right.
[00:43:08] Jayson: So-
[00:43:08] Rik:: And it's all the kind of, your attacks will take advantage of that desire-
[00:43:11] Jayson: Exactly. When you said, yeah, when, going back to what you said about the tailgate and being rude. It's like, 'cause I've broken into a building before in a wheelchair. It's like, and you're like, "Oh my god, Jayson, you're horrible." Yes.
[00:43:21] Rik:: [laughs]. [crosstalk 00:43:23]-
[00:43:22] Jayson: "I'm trying to rob you. What part of rob you did not, you, make it understand that I'm a bad guy?"
[00:43:28] Rik:: Yeah.
[00:43:28] Jayson: It's like I'm trying to, we've already accom-, we've established my ethics and morals. I'm committing a crime. It's like, so, yeah, it's like, "I'm sorry to hurt your feelings by betraying your..."
So what you do, and this is another key function when you've trained your staff, you allow your staff to not be the bad guy. Instead of teaching your staff that they have to stop someone, that's not what you want them to do.
[00:43:56] Rik:: Okay.
[00:43:57] Jayson: When a, a, a, an employee is being tailgated, their response is, "You're not allowed in here." No. Their response is, "I would love to let you through, but there are security cameras here and there and security says that you're not allowed to go in past me.
And then I'd get in trouble. It's like and, and I don't want to get in trouble. It's like and I would normally do this and it's like and I know that you're legit, but it's like you have to go check in with security. It's like, that's required."
[00:44:21] Rik:: Yeah.
[00:44:22] Jayson: "It's like it's not me. It's like if I had my way to do it, it's like I would totally do it, but it's them. Those a-holes over there."
[00:44:28] Rik:: [crosstalk 00:44:29]. It's also situationally dependent as well, because what I noticed, um, r- recently, uh, 'cause I have a, a one-year-old who, well, who was in nursery until pandemic [laughs], supposed to be in nursery.
Um, the one place where no one really gets offended that you basically shut the door in their face is at the door to the nursery, 'cause everyone gets the reasoning.
[00:44:49] Jayson: Right.
[00:44:49] Rik:: So some of it is, is just about creating that level of mutual understanding that there is a reason-
[00:44:54] Jayson: Yeah.
[00:44:55] Rik:: ... there's a purpose, and then it becomes fine, right. Everyone understands that we need to protect the kids that are in the nursery building from strangers going in and picking up kids that don't belong to them, for example, right.
[00:45:05] Jayson: Yeah.
[00:45:05] Rik:: Everyone's cool with that. So you need [crosstalk 00:45:08] to enterprise environment.
[00:45:10] Jayson: E- exactly. And one of the things that helped me with that, it's like to get that to, when I first worked at the internet bank, uh, back in 2000, was I explained it very succinctly as this.
The day that the vault was that big shiny thing in the lobby of the bank is over. That's not where the money is. The vault is now that terminal that you're sitting in front of.
[00:45:37] Rik:: Right.
[00:45:37] Jayson: It's like and when we understand that and you teach your employees that their livelihood is at stake with every single one of those machines inside your building or when you're transporting that machine, they're transporting their company's secrets, their company product with them.
It's like, that's when you start getting a better buy-in to security. It's like because one of the thread models that you can do is like, it's like following people as they leave the building and seeing when they stop.
'Cause it's like when I look into research, I show executives a map of Google and I show them at least five different restaurants, five different, uh, grocery stores, and five different, uh, petrol gas stations, uh, within a one-mile radius of their facility.
And I tell them quite quickly. It's like, "Hey, this is where your employees are stopping off before they get home."
[00:46:39] Rik:: Right.
[00:46:39] Jayson: To catch the bread. To go get uh, the milk. It's like to, to go and gas up. And that's when I can steal their laptop, because they've left I in the car, possibly in the front seat even.
It's like, so it's like, uh, that's where their badges are gonna be hanging from the, the rearview mirror. It's like so those are the things that you can explain and you express to 'em.
It's like your data is always gonna be at risk because it's not just a computer. It's not just losing 1000 dollars for a laptop.
[00:47:10] Rik:: Mm-hmm [affirmative].
[00:47:11] Jayson: It's losing millions, and if you look at it and they that like, "Oh, this person's trying to steal millions from me" then yeah, there's a lot of things someone would do.
It's like, I mean maybe not George Clooney, Ocean's Eleven kind of crazy, but you know, you know, Looney Toon's kind of crazy that I do all the time. Yes. It's like, I, I do it, so I tell people this stuff's so easy, even I can do it. It's like, I do not do sophistication. It's like people-
[00:47:36] Rik:: So how about, how about some-
[00:47:37] Jayson: Yeah.
[00:47:37] Rik:: ... [crosstalk 00:47:37] then, because one of the things that I'm kind of thinking through right now, that obviously the, the, COVID-19, the global pandemic, the lockdown, uh, the, the, the basic, you know the freezing of-
[00:47:50] Jayson: Yeah.
[00:47:50] Rik:: ... society and the freezing of everything that we've regularly been doing. These are different phases in different countries and is opening up at-
[00:47:57] Jayson: Right.
[00:47:57] Rik:: ... different phases and so on. A lot of people are, are saying how it's gonna change, um, society forever, how it's gonna change the way that we work, the way that we socialize. Uh, I'm not of that school. [crosstalk 00:48:08]-
[00:48:07] Jayson: Yeah, it, it's-
[00:48:08] Rik:: This won't be a forever change.
[00:48:10] Jayson: Right.
[00:48:10] Rik:: Uh, in a, in a, on a massive scale. It will def- definitely be a massive scale short to medium-term change. Um, certainly within Europe, anyway, that the, how businesses come back, how offices come back, how public transport is used.
Um, how, you know, pubs, restaurants reopen. All of those things. So there will be, short to medium-term, some very, very big changes. How would you leverage those as a social engineer?
How would you take advantage of recent societal change? And I, I realize I'm totally springing this you, so you're thinking on your feet.
[00:48:42] Jayson: Yeah.
[00:48:42] Rik:: But, given the way that society has changed over the past few weeks, um, what new opportunities or new avenues for attack would that present someone, uh, in your profession or someone who was a real bad guy?
[00:48:56] Jayson: Right. Um, from social engineering it's like, uh, it's different than the other way. It's like, when, uh, if you're doing Red Team and social engineering I, I do think, uh, because there's like ethical debates going on on Twitter, uh, between other social engineers going like, "Do you use COVID-19 in your phishing attacks?"
[00:49:15] Rik:: Yeah. Yeah.
[00:49:16] Jayson: It's like, and my thing is, is like I'm not trying to be a social engineer, I'm trying to be a criminal.
It's like, like I'm trying to attack you like a criminal would, not some kind of sophisticated, showy little, "Oh look what I did, it's like craft... "
No, I'm down and dirty, basic. It's like, I, I call it not APT. I don't do advanced, persistent, or threatening. It's like I do basic, adorable destruction. I'm just bad.
[00:49:42] Rik:: [laughs].
[00:49:42] Jayson: It's like, you know, I'm just bad. It's like so, that's what I try to do. And so, I always go back to an email I received two days after the Boston bombing.
It's like I received an email from, a- after the Boston bombing and it said "Boston Bombing!!!" In exclamation, three exclamation points in the subject line. And then in the body of the message it was the I-, an IP address, uh, so just numbers, boston.acml.
And I looked at that and I was like, first of all, from a professional standpoint I was like, "Yo, bro, you ain't even trying. This is like, you know, up your game." It's like this is-
[00:50:22] Rik:: [laughs]. [crosstalk 00:50:23].
[00:50:23] Jayson: Yeah. And, but then I thought about it and it's like, my daughter was racing in the Boston bombing, uh, the Boston marathon.
It's like if I had relatives there. It's like if the cellphone towers are saturated. It's like I can't get through-
[00:50:37] Rik:: Yeah.
[00:50:38] Jayson: Would I click? Because humans desire information during a time of crisis. They just always on the television, always trying to consume, trying to find out. That's why disinformation is so effective.
[00:50:49] Rik:: Yeah.
[00:50:49] Jayson: It's because they're reaching for lifelines and they're, and that's the news. That's information.
And so that was a valid attack, so that was a valid attack 'cause someone would click that because they were desperate to find out. And so if you're not teaching companies that those kind of threats are out there and are being used.
The tsunami, it's like event. It's like, it's like, I mean that, hundreds of thousands of people died. It's like, a- and by the way how much did that change the, the tourism in, in way that people operate in, in the [crosstalk 00:51:22]-
[00:51:23] Rik:: Absolutely.
[00:51:23] Jayson: 1918. How did, how, how did we, how did the culture change? It's like, you know, or for how long?
It's like so yeah, so I don't see us changing that much. Humans are creatures of habit and it's like humans like norm- normalcy.
[00:51:38] Rik:: Yeah.
[00:51:39] Jayson: Humans don't want to feel threatened, so they will do everything and, and unfortunately give up their right for that normalcy.
It's like, and that's what we have to be more afraid of right now. I'm more afraid of our governments right now than I am afraid of criminals, uh, attacking us. Uh, so-
[00:51:55] Rik:: Well I, I was thinking though more like, you know, like would it give you an opportunity to walk into a work place wearing a, a home-made uniform and y- you're the COVID-19 inspector, or you're the...
Actually, wow. I- I remember when I first got my, my first job in a, in a real office, must have been late 80s I think. 1988, '89, something like that.
There was a lady that used to come regularly. I don't know if it was daily or weekly, but she used to come around and s- sanitize all the handsets on the telephones.
[00:52:24] Jayson: Yeah.
[00:52:24] Rik:: Literally come around with a cloth and she would be-
[00:52:26] Jayson: Yeah.
[00:52:26] Rik:: ... like wiping the handsets and cleaning. Uh, surely, this, the changing in working practices with social distancing in the office, no more hot-desking, uh, you know, a respectable and measurable distance between you and the people around you.
That's gotta open, open some interesting avenues for you to, uh, to create new stories, if you like.
[00:52:47] Jayson: Yeah. I, I would say that, it's like, I would go with this. It's like, quite honestly it's like, there are new avenues to do that from that, but why? It's like, I mean uh, uh, uh, my friend April she, she got me a CDC shirt.
[00:53:03] Rik:: Mm-hmm [affirmative].
[00:53:03] Jayson: I literally have a legit CDC Center for Disease Control Prevention shirt. Uh, I'm never gonna use that on an engagement. It's like my basic Saturday Night Live work shirt that says, "Your company's computer guy"-
[00:53:18] Rik:: [laughs].
[00:53:18] Jayson: ... has literally gotten me into locations, secured locations, in New York even. It's like right across the street from Ground Zero. It's like I, uh, I've worn a shirt that said "Hacker" on it in Malaysia when I was robbing a hotel in Malaysia, and it, the shirt said "Hacker."
I don't need to use, I don't think people need to use COVID, uh, or this pandemic as a way to get in. There are avenues that you can use it in, yes.
And it's, it's good for you to do and create and write out scenarios to get to your users so they can be aware of those scenarios, but there's not necessarily a reason for an attacker to use those. It's like a social engineer-
[00:53:57] Rik:: Yeah.
[00:53:57] Jayson: ... or Red Teamer or [00:54:00] someone professionally. It's like it's good for them to be aware. It's good for them to know these attacks-
[00:54:07] Rik:: [crosstalk 00:54:08]-
[00:54:07] Jayson: ... but not actually do it. There's too many other good ones that are still useful.
[00:54:11] Rik:: That's exactly how... So, you know, when I've given talks at places in the past, I've more, on more than one occasion had people approach me afterwards and, and uh, question like, "Rik:, why are you, why are you talking to us about security basics?
We want to hear about, uh, you know, the, the, the most intricate and advanced APT that you've, you've, uh-
[00:54:32] Jayson: Yeah.
[00:54:32] Rik:: ... dealt with in the last twelve months. Or will us about some fantastic zero days." Or, and, and, and the answer, which I have to give people because I think it's important to be straight and honest.
The answer that you have to give people is, "You don't need to worry about that stuff. That's not the stuff, really, that's relevant to your business." And I suppose it's-
[00:54:48] Jayson: [crosstalk 00:54:48]. Exactly.
[00:54:49] Rik:: ... it's the same thing with, with physical, right? That you don't, that, criminals are not going to innovate or change unless we force them to innovate or change by fixing the basics and right now, that's not what we're doing as, as, as professionals within organizations.
[00:55:03] Jayson: You can tell how old we are because we, we, over our career we've come to these same [laughs] conclusions and we're like hitting our head against this, you're like on the same wall that I'm on, just next to it, you know beating our heads up against that same wall.
It's like I totally agree with you on that. It's like because I tell people, it's like, uh, one of the things that gets me with some of these Red Teamers, especially with some of these people with these egos about like, "Oh, I'm gonna break in and I'm gonna go through the skylight or I'm gonna do all these kind of things to circumvent it."
And I'm like, "That's great. You give that report to their, your client and your client's going to be going, 'Oh, good, we're protected'."
[00:55:37] Rik:: Yeah.
[00:55:38] Jayson: You know, "What are talking about? I showed you all these things." Like, "Yeah, but you did all this ninja nation-state stuff. It's like, we don't have to worry about that. That's not our threat model."
[00:55:45] Rik:: Yeah.
[00:55:45] Jayson: I literally robbed a bank one time within two minutes and 22 seconds from walking in the front door to having full access for over thirty minutes behind the teller line.
It's like installing malware, uh, spinning around in the chair, and all I did was I walked in and started talking.
[00:56:06] Rik:: So-
[00:56:06] Jayson: What's your defense to that? How do you defend against that? It's like you don't have a defense against that. You can't say, "Oh, I don't have to worry about that." "Mother, you have to worry about someone like me just going 'YOLO and let's see if I can get in and, and, and um, plug a device in'."
It's, my shortest time from the, the bank door to a compromise, 15 seconds, and it's on film. It's like 15 seconds.
[00:56:31] Rik:: You just used a, a, an expression, uh, which is kind of industry standard, but I think it's one that a lot of people, practitioners, uh, don't understand, or if, or maybe don't practice.
One or the other, or both. Uh, and that expression is threat modelling, right.
[00:56:47] Jayson: Yes.
[00:56:47] Rik:: Definitely something which doesn't happen a lot.
[00:56:50] Jayson: Yes.
[00:56:50] Rik:: Why don't you tell us about threat modelling?
[00:56:52] Jayson: Threat modelling is something a lot of people in our industry don't have a good concept on. It's like our threat modelling is understanding that my threat model is not gonna be the same as your threat model.
It's like a bakery has to have protection. They have to have security protocols in place. Not the same kind of security protocols as a delivery company, or as a bank. It's like those are all different kinds of threat models. Some need, uh, confidentiality, uh, more guarded. Some need uh, availability.
It's like, some places can go days without an internet presence being used. It's like, you know, without anybody having to worry about their website if their website goes down. Others will lose their company if that business, uh, website is down for more than a day. It's like others can go without email. Some can't.
[00:57:54] It's like, it's all about the threat modelling. We need to understand, it's like, and this is one of the things that gets me especially when someone does a picture or something.
Uh, and they release the picture and they go like, "Oh look at your horrible OPSEC. I know exactly where you are." I'm like, "Mother-[inaudible 00:58:07], that risk is mitigated for this, this, and this reason."
It's like, I shouldn't have to worry about you figuring out where am at 'cause it's like, that's, you're not in my threat model for that.
[00:58:16] Rik:: Right.
[00:58:16] Jayson: It's like, a lot of these people that are like just innocent just civilians just going on and doing...
If I'm, you know, a foreign military person and I happen to be occupying another country's place and one of my soldiers, this is actually a true story-
[00:58:32] Rik:: Mm-hmm [affirmative].
[00:58:33] Jayson: ... decides to tweet out, you know, a tweet and stuff, you know, and a picture that gives a geolocation and the fact that, "Oh, yes, we are actually invading this country" that's a, that's a-
[00:58:45] Rik:: That is a problem.
[00:58:46] Jayson: ... that's a problem. That's a problem.
[00:58:46] Rik:: [crosstalk 00:58:46] partly threat modeling, right? [laughs].
[00:58:46] Jayson: Okay. If I am a, a woman it's like and I'm in a bikini and I'm on a beach and it's like and all you're seeing is sand and also, and it's like and this is just a one time thing where it's like, "I'm just visiting," it's like, you know what, that's not bad offset. That's being [crosstalk 00:59:05].
[00:59:05] Rik:: So threat modeling is, is basically helping people to have the realization that they don't have to protect all the things all the time. It's risk management.
[00:59:11] Jayson: Exactly. Figure out what your business does. One of the things that security needs to do, and I am telling you, I am not a hypocrite, I failed at this when I first started in information security. It's like I did not take seriously what my company did for a business.
I thought I needed to make sure they had firewalls, antivirus, I needed to make sure they have IDS-
[00:59:35] Rik:: Right.
[00:59:36] Jayson: I needed to make sure they had all those things in place. That was a disservice to those companies because what I needed to know was how they made money.
How their process worked. I needed to know what each process was. I needed to know how they were, and what went down how bad it would affect the company overall.
[00:59:56] Rik:: Right.
[00:59:56] Jayson: And then, I could start protecting it. [01:00:00] Because this treat model here that's, then that's the threat modeling. F-, because you'll find out that, "Oh, this is a threat. I didn't even realize this would be a threat. But this is a threat versus just having a firewall, uh, being breached."
[01:00:14] Rik:: What do, what do I have, who do I have, who has access to what, why, through what process?
[01:00:20] Jayson: Exactly.
[01:00:20] Rik:: Yeah.
[01:00:21] Jayson: More professional way of saying it, yes. It's like a-
[01:00:23] Rik:: Yeah.
[01:00:23] Jayson: ... it's like, so yeah. But I mean, that's what we need to start doing. So we need to start looking at it from that and stop, uh, not just victim-shaming but stop, you know, threat shaming.
It's like, you know, it's like, "Oh, well, dude, you didn't do this." Or it's like, "Oh what about this?" I could fi-... It's like, no, that's not their threat model. That's not their risk. It's, it's a, and, and I'm sorry.
We have gone so far from the place we're about eliminating risk. Your job is not to eliminate risk. Okay? It is beyond impossible in this day and age.
[01:00:55] Your job is to mitigate as much risk as you possibly can, then you go to your executives and you tell them, "Here's how much with the budget that we have and the technology that we have in place, this is how much risk we've mitigated."
Now, if you want to invest this much money, or make these policy changes, we can mitigate this much more. It's like, "And, at the end of the day, even if you let us mitigate this much more risk, you're still gonna have this much or this much more risk that you're going to have to accept, because like it or not-
[01:01:29] Rik:: [crosstalk 01:01:29].
[01:01:29] Jayson: ... the Internet's necessarily."
[01:01:30] Rik:: For me it's not, uh, it's not about, it's not risk mitigation, right. That's, that's one strategy. For me it's, the, the, the, core of it is working out what to do about risk.
[01:01:41] Jayson: Right.
[01:01:42] Rik:: Some of it, you're gonna mitigate. Some of it you're gonna have a budget for and you're gonna spend the budget and you're going to mitigate the risk however you're gonna mitigate the risk, whatever [crosstalk 01:01:50].
[01:01:48] Jayson: Right.
[01:01:49] Rik:: Some of it, you're going to offset. There's a equally legit [crosstalk 01:01:53]-
[01:01:53] Jayson: Oh, the [crosstalk 01:01:53]. Oh, I forgot about that. Yes. Offsetting the risk. Yes, there's some that you can offset through third party contracts and SLAs and things like that, yes.
[01:02:00] Rik:: [crosstalk 01:02:00] contracts. You just offset it and that's still a strategy. You don't have to mitigate it.
[01:02:05] Jayson: Yeah.
[01:02:05] Rik:: Get some insurance. That's a, that's a p-, great offset for some [crosstalk 01:02:08]-
[01:02:07] Jayson: Right.
[01:02:08] Rik:: ... really great against ransomware for some companies, for example.
[01:02:10] Jayson: Right.
[01:02:11] Rik:: Although it funds cybercrime longterm [crosstalk 01:02:13]-
[01:02:13] Jayson: Yeah. But there's still some you got to accept.
[01:02:16] Rik:: ... right? The third strategy, and a- again, totally legit strategy with risk is accept.
[01:02:22] Jayson: Ex-, yes.
[01:02:24] Rik:: That's okay. That's totally okay. You don't have to protect all the things all the time.
[01:02:30] Jayson: Right.
[01:02:30] Rik:: Um, coming up on the hour, I've got one more question I want to ask you in the, in the chat there that's coming in live.
Uh, because we started off talking about, uh, quarantine and there's a question coming from Erin Johnson who says, uh, "What has been your best hacker adventure during quarantine period?"
[01:02:45] Jayson: Um...
[01:02:46] Rik:: Good opportunities I guess for hacker adventures, right?
[01:02:48] Jayson: Yeah, it's, it's, it's been, uh, I, I actually have a hashtag on Twitter where I call it #IsolatedHackerAdventures. It's like a, so uh, basically, uh, I, I got a, uh, a tRik:e, a, uh, Can-Am Ryker. Um, and it's a, it's a three-wheeled motorcycle.
And, uh, it has been my lifeline. It's like a, it's like I went through a really rough year in 2018. In 2019 I was just skimping along. I was not doing well either. I was just making do, and then November of 2019 I got Talon, which is the name of the, the bike, and that started giving me that, you know, like, "Oh, okay, I can go and do things. I can go out."
And so it started to give me a thing to, to go do. And-
[01:03:30] Rik:: Lust for life.
[01:03:31] Jayson: Exactly. And it's like, and it just give me that, that, that drive to, to leave the house. 'Cause I was like literally just camped and I did not leave me lab at all.
It's like, uh, as you can tell I'm not there now. So it's like, so it's like, so I was just like uh, for two years, uh, just in there, uh, suffering. Uh, and so, uh, Talon gave me this lifeline.
So I, during quarantine, uh, I've done a game and my bike's in the shop, or about to be in the shop for two weeks and it's sad. But, um, but what I'd done with Talon was I would pick a place on Google Maps, uh, that was within a 100 miles of my house.
And, uh, I went to Security, Texas. There is a little township called Security, and in-
[01:04:15] Rik:: [laughs].
[01:04:15] Jayson: ... that township of Security, Texas, there's a church. And it's the Security First Baptist Church.
[01:04:27] Rik:: [laughs]. That's great.
[01:04:28] Jayson: And so, like, 11:00 at night, in the middle of the night, I just drove, it's like 60, 70 miles to Security, Texas so I get a picture in front of a bus, a church bus that said, "Security First Baptist Church."
And then I, I got a bonus one on that one because I went through to get there I went through Cut and Shoot Texas.
[01:04:49] Rik:: [laughs].
[01:04:49] Jayson: Oh, Texas, don't ever change. It's like, and so I got a picture in front of Cut and Shoot, Texas city hall. [laughs]. It's like, so-
[01:04:57] Rik:: [crosstalk 01:04:57].
[01:04:58] Jayson: ... and, uh, and so, and I went to the San [Jacinto 01:05:00] monument at midnight. I went to the seawall, uh, in Galveston at 1:00 AM. It's like, I went to places where people weren't, [laughs], and it's like-
[01:05:09] Rik:: Yeah.
[01:05:09] Jayson: ... and that was my isolated hacker adventure. I would just go ride the ride.
[01:05:13] Rik:: That's [crosstalk 01:05:14]-
[01:05:14] Jayson: Uh, and I've literally gone in big circles. I mean, I would just literally just not even stop once.
It was literally just I'm gonna go to see where this road ends and then when I find out where the road ends I'm gonna turn around and come back.
[01:05:27] Rik:: So one other thing. You've done, uh, well, you've done a lot so far in your life and you'll continue to go on and do many more and, and even greater things.
But, one of the things that you have done that I am, uh, intensely jealous of because I wish I could motivate myself enough to get on with it, is be a published author. You've published three, uh, three semi-fiction works, right?
[01:05:48] Jayson: No, uh, two right now. I'm working, the, the, the-
[01:05:50] Rik:: Two and the, the-
[01:05:51] Jayson: ... the conclusion of the trilogy, The Dissecting the Hacker, uh, trilogy. The Inter-, uh, The Interdike Network, which is the third one, uh, is all... The, the quarantine sort of messed up the creative process for me. Uh, but I am trying to get that pushed out by this year, so.
[01:06:06] Rik:: So that's the question. What's going on with Dissecting the Hack, and, and that [crosstalk 01:06:09]-
[01:06:09] Jayson: So yeah. I'm, I'm concluding it, um, it's gonna be a very final trilogy. It's like uh, that's like the only spoiler I'm gonna give out. It's gonna be very final.
Some, too final for some people. Uh, but, uh, it's gonna give way to a new series that I'm working called, called-
[01:06:25] Rik:: [crosstalk 01:06:26]-
[01:06:25] Jayson: ... The Digital [Ronan 01:06:26] in series, uh, where, uh, this new character gets introduced and it, and it goes on. And I'm also, at the same time, writing the third book, uh, through SphereNY uh, my, my day job. It's like, uh, uh, and working with my, uh, my boss, uh, supervising adult guy, uh, Jason Burns.
Uh, I'm creating a book, uh, for the everyday person. Uh, it's a fictional story. It's a, it's a narrative, and then it's educational and it's like, and it talks about how to, uh, how attacks work and how to defend against them and how to respond to 'em. [crosstalk 01:07:01]-
[01:07:00] Rik:: So like the handbook for the, for the potential victim?
[01:07:03] Jayson: Uh, exactly. And it's like, and it's not for, and it's 100%, uh, security people and IT people will get benefit from it, but they are not the target audience.
[01:07:16] Rik:: Mm-hmm [affirmative].
[01:07:16] Jayson: The target audience is, uh, the accountant. The target audience is the school teacher, the nurse, the uh, sanitation worker.
The, I mean, just the regular person just doing their job and security and computer security really isn't that much of a thought to them. That's what-
[01:07:33] Rik:: Yeah. [crosstalk 01:07:34]-
[01:07:34] Jayson: ... this book is good for.
[01:07:35] Rik:: I'm looking forward to, to, to reading that. That sounds like a really worthwhile project. Uh, Jayson it's been an absolute pleasure. I want to thank you, uh, from the bottom of my heart for agreeing to, to be on, uh, uh, this live broadcast when you had no idea what it was.
We hadn't done it yet. I just kind of [laughs] came to you out of the blue and said, "Hey come do, do this thing with me." And you were like, "Absolutely, yes."
[01:07:57] Jayson: Always.
[01:07:57] Rik:: So thank you-
[01:07:57] Jayson: Always want to help.
[01:07:58] Rik:: Thank you so much. It's been a real pleasure having you on. Um, I hope the rest of your day, uh, goes swimmingly, uh, and I look forward to seeing you again in person soon. Jayson, thanks so much for joining us.
[01:08:09] Jayson: Definitely. Hugs in the future my friend. Thank you.
[01:08:12] Rik:: Cheers. Thank you as well for joining us. Um, we, that was another hour that just flew by. Uh, I can't believe before last week's episode with Katie I, you know, I was unbelievably nervous about sitting here, broadcasting live, uh, across all of these platforms.
Especially, when anything can happen, like um, someone trying to, uh, someone trying to phone me on my, uh, on my Mac while I'm talking to you. I was unbelievably nervous about all of this stuff, um, and the people that I'm talking to, and I have a, a fantastic roster of other guests coming up, are just making me feel so comfortable.
I hope you're enjoying the conversations with them, uh, as much as I have. Um, once again, thank you very much, uh, for joining us. Um, I've been Ron Burgundy and you stay classy, San Diego.