Jayson E. Street is a professional penetration tester who has uncovered and helped patch security holes in many banks around the world, but even he, a professional mistake-hunter, is prone to some heavy faults.
Street was once hired to perform a security awareness engagement in a bank in Beirut.
A security awareness engagement can be described as a mock physical security breach that has the ultimate goal of improving an establishment’s security by educating its staff on existing dangers and how to be ready for them.
How He Does It
“I don’t have to bypass your firewall if I can bypass your receptionist.”Jayson E. Street
To understand what Street does and how he does it, we can go back a few years before the botched Beirut bank job.
In 2013, Street successfully completed a bank assignment in Beirut.
He had been challenged to test the security of 3 different branches of the bank and to bring back a user ID, a password, a smartcard, a computer, and network access for the job to be deemed successful.
One of the key techniques that Street used in that job was radiating a sense of validity that would get him to be trusted – or, even, to be completely overlooked – by bank employees, executives, and managers. How?
For instance, when he entered the first of the three branches, with a confident pace, he walked straight toward the manager’s office, past the executives, waited outside the door for a while without actually meeting the manager, then went back to an executive’s office, all while he looked like he knew exactly where he was going.
There, he told the executive that he needed to look at her computer because he was performing an audit, throwing in some technical lingo to add to his legitimacy.
The executive, who automatically associated his arrival from the direction of the manager’s office with validity and legitimacy, allowed him to plug his USB Rubber Ducky (a programmable USB stick typically used as a hack tool; capable of a lot of damage) into her computer.
Although, in this case, Street’s Rubber Ducky was only programmed to open a notepad – since this was not a real robbery – he had just technically compromised the bank’s security. Street was only getting started, though.
From there, having been seen at both the manager’s office (supposedly) and an executive’s office, the hacker only gained more and more validity in the eyes of the staff.
He ended up compromising another executive’s computer and every computer behind the teller line — all within 2 and a half minutes of walking into the bank for the first time in his life.
After having basically robbed the bank, he rallied its staff and told them what he had just done.
He explained how badly they had just been compromised, and then educated them on how they can prevent something similar from happening in the future.
Street then went on to do the same in the remaining 2 branches with similar ease, eventually delivering a user ID, a password, a smartcard, a computer, and proof of network access to the shocked executive who had assigned him the task.
The Time It Went Wrong
A few years later, Street landed in Beirut again and reached the bank that he was supposed to perform a security awareness engagement in. He narrated this story on an episode of Darknet Diaries.
When he arrived, he needed to go to the bathroom. He went to the second floor with the presumption, based on experience, that the bathroom would be there, and it was.
When he was coming back down, he spotted 2 people working in a cube. He went up to them, told them he was with Microsoft, flashed a fake Microsoft badge, and went straight to work.
He plugged his Rubber Ducky into their computers and could have ended the job right there, as hacking into even one computer can be enough to compromise the whole system.
But, he wanted each individual employee to be involved in the experience so that they would learn the lesson more effectively. So, he went on to hack into more computers.
While he was at it, a person came up to him and asked him what he was doing there. Street again said that he was with Microsoft and was performing a USB audit.
He showed the person an email from the CFO of the bank on an iPad he had on him, which was meant to give off, again, a sense of legitimacy. The email did give him the authorization he needed to do what he was doing, but it was actually forged.
The man told Street that he still needed authorization from his supervisor, to whom the friendly hacker went and showed the email on the iPad. However, nothing could have prepared him for what he would hear next.
“This is for the bank next door. What are you doing here, and what did you plug into our computers?” the disgruntled supervisor asked, catching Street completely off guard.
Street realized he was robbing the wrong bank. Panicking, all he could say at the moment was: “This is unfortunate… I should not be here.”
Street was now in the bank manager’s office, amidst a group of angry people.
He was trying to convince them that his USB was harmless and that he was performing a job, asking them to simply Google him to see that he was known for doing these operations, but it wasn’t working.
So, he thought it would be a good idea to plug his Rubber Ducky into the manager’s computer.
He did, and the notepad popped up as expected, but Street soon discovered that his idea was not as sound as he thought it was, judging by the facial expressions of the people in the office.
In their eyes, this intruder had just compromised one more device; the manager’s.
While that was happening, the executive who had hired Street to do the operation was looking for him because he still hadn’t shown up at the bank he was supposed to compromise.
The executive finally found Street and talked to the people at the bank, explaining what was going on.
Street was then instructed to go to the head office so that they could ensure that the tools he had on him were not malicious. Still nervous, he went to the location, escorted by another car.
At the head office’s security department, he spent 4 hours, half of them being questioned, the other half giving them educational training about the compromise after they had Googled Rubber Ducky and made sure that Street was, indeed, harmless.
Jayson E. Street was lucky to leave Lebanon without serious legal repercussions.
He also did eventually compromise the original bank he was supposed to go into, and it was a successful operation.