[Music] Just a content warning from the top here; there’s quite a few swear words in this one. I don’t know, do these content warnings even help anyone? Let me know if you like knowing if there’s swear words coming up or not.
Someone who’s been on my radar for the last decade is a guy named Chris Rock. Not that Chris Rock; a different Chris Rock, a white guy, an Australian. I know him as a security researcher, but as soon as I got on the call with him, I started learning that he’s way more than just a researcher.
Yeah, so, I’m a public guy for my research, but not public for that side of the business. So, for me it’s — for me it’s just a gig, and whether it’s white or black, it makes no difference to me. So, I think that sort of…
Wait; so, have you done black-hat gigs before?
Oh, shit, yeah. I’ve been doing them since I was eleven years old. This is the norm. I know a lot of people — and the white hats say, oh, I used to be a black hat and now I’m not. For me it’s like, I didn’t give a shit whether it’s white or black, are you a hacker, yes, no…
But hold on a sec. But the black hat indicates that you’re doing criminal activities. So, you don’t give a shit if you’re doing criminal activity.
No, not at all, not at all. It’s funny; I meet with a lot of people who do the whole ‘hacking is not a crime’ and all that sort of stuff. It’s all full of shit. That’s their public persona to keep their job safe. But at the end of the day, when you have a beer with them and you talk shit, it’s all bullshit. So, I’m essentially transparent about what I do.
So, what black hat stuff have you done? Not when you were eleven. I’m sure you stole your mom’s credit card or something, but that’s small potatoes compared to when you’re an adult, I suppose.
We’ve done everything. We’ve done banks, we’ve done government, we’ve done telcos, we’ve done big oil companies just out of exploratory processes. Like, yeah, normal stuff. When I say ‘normal stuff’, normal for black hat people.
No, I’m not tracking. So, you’re telling me you robbed a bank and then just took the money?
Yeah.
[Laughs] Chris, what are you doing?
[Laughs] For me, it’s an exercise. It’s just, can you do it? Yes, no, transfer. There’s a lot of people around the world that will pay you to get into these banks and transfer money.
Yes — [laughing] you’ve broke my brain here.
Sorry, buddy.
I don’t even know where to go.
You got multi-angles and — look, you may not — we may not be able to cover it all in this call. It’s just an exploratory call.
[Laughs] It’s like, ten calls.
I mean, the hard thing with you, Jack, is you’ve got a thirty-something career that you’ve gotta stick into an hour block. It’s not gonna fit. So, it’s a…
Okay, have you ever been arrested?
No.
How are you this good that you’re able to rob banks and not get arrested?
It’s not that I’m that good. It’s just, you have to be stupid to get caught. You know what I mean? The world’s your oyster. I mean, we get raised in this world — I mean, I train forensics, anti-forensics, and it’s just the norm. Like, it’s — I feel sorry for the people that do get caught because, man, you shouldn’t be hacking shit that — when you’ve got five years’,
ten years’ experience. Once you’ve done it for twenty plus years, it’s just easy. (Intro): [Intro music] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries.
Alright, so, who are you and what do you do?
So, my name is Chris Rock. I’m fifty-one now, so my career started when my parents bought me my first computer, which then it was an older computer, but it was the Atari 2600. From there it went to Commodore 64 and Omega and then IBM. So, I was born at the right time for computers. Loved hacking. I’m on — I consider myself on the spectrum. I prefer the company of computers than
people. So, for me, spending sixteen, twenty hours a day in front of a computer is natural, and I’ve done it since I was ten or eleven years old. So, you spend that much time in front of something, you become good at it. So, I’ve spent my whole — the last forty years on a keyboard. Then I went to university at eighteen. Didn’t like uni. It was coding. I hate coding,
so dropped out of uni. Uni wasn’t really for me, so then I went into the sector. So, it was IT slash — really, IT; eighty percent, then security; twenty percent. But I went into the banking sector. So, I spent the next ten years in banks, in Australian banks, which you could probably tell from my accent. Ten years in banks, and then someone said to me,
what do you want to do now? I said, you know what? I want to do some pen testing. Then I set my own pen-testing company, so I did pen testing for another ten years after that around the world. Then one of my customers from pen testing wanted the same solution. I said, look, I can help you out. I can stitch some open-sourch products together like Elastic and stuff like
that. I did that and they really loved it. Then they said, why don’t you give it to the rest of the world so they can have a look at it? Which seems to be the platform they’re running now, SIEMonster Version 1. So, we rolled that out. It got a lot of traction. Essentially, that’s my full-time gig. I am the CISO of SIEMonster, S-I-E-Monster.
What a SIEM does is it collects all the security logs of an organization and alerts when there’s a security incident, and Chris made his own called SIEMonster, which came about because he was breaking into companies and saying things like, oh, if you had logging turned on, you could have saw me. Those companies were like, well,
set up logging so we can see you. So, he’s got quite a bit of experience in both the offensive and defensive side of cyber security. [Music] So, while I was talking to Chris, he started telling me about a job that he had in the Middle East, and I’m not even sure what kind of job this was. It’s not exactly a penetration test and it’s not exactly an incident response.
‘Research and engagement’ is probably a better word for it. So, when I was doing pen testing, people would say, Chris, you seem like a guy that would do outside activities, and then I would get approached for these outside activities and then — around the world to hack into this person, hack into this company, and get these secrets and that sort of stuff. So, essentially both paths I work in.
So, through word-of-mouth, there’s someone in the Middle East who needs a hacker’s help and heard that Chris is the guy to call for these sort of things. So, he calls him up and says, can we meet?
Usually they do it in person. So, in this case, I flew to a neutral area. So, I flew to Istanbul in Turkey, and then met over dinner to talk about the exercise that he put forward.
That’s quite — I mean, already I’m intrigued, right, because it’s like, hey, we have this job; if you want more details, meet me in Turkey.
Yeah, it’s — and I say it off the cuff because that’s natural for me, and I know a lot of pen testers don’t see that side of the world. They see it in a forensics report or incident response, but once you live it and you go through it — a very interesting world. Jack, I’ll use you as an example. You get paid every week/fortnight/whatever,
and you get your paycheck. Tax comes out of it and stuff like that. But when you’re on that other side, it doesn’t work like that, obviously. There’s no tax, but you gotta get your money and things are expensive; burner phones, burner laptops,
crypto, peer-to-peer money, getting your money washed, all that sort of stuff. Different world. It’s a great learning curve, but a lot of us don’t get to experience that sort of stuff.
Well, yeah, what is this engagement? Tell me more about how this was pitched to you and what you — what’s the job and stuff?
Yeah, so, I met this guy. We’ll just call him Mike. I met Mike, and Mike worked for a company. They were rich Middle Easters who — essentially, he was one of five brothers, and each of the brothers was worth about a billion dollars. But he was only worth $200 million,
so he was like the poor loser of the family. I know that sounds really weird, but he had to take bigger risks to compete with his brothers to get to that billionaire status,
and that’s why he would engage hackers to assist him with his business activities. So, in this case, it was put forward to me that one of his subsidiaries, he thought that they were stealing money and then moving that money to another company, another offshore company,
and also the IP from that company. So, he asked whether I’d be interested in finding out whether it was true and then to recover as much money as possible.
Huh. We’re dealing with a few mega-rich billionaires from the Middle East here, but the one brother isn’t quite a billionaire yet, and he’s keen on hiring a hacker’s help to investigate where some of this money went.
[Music] In this exercise, it was a cash deal. I was offered gold in a briefcase, which is pretty fucking useless, getting gold overseas. But you get — you either get offered different types of currencies.
Gold in a briefcase is what they offered you?
I know, it’s — I know. When I heard that story, first of all, I thought it was just a shit story. But no, they had cash ready to go for the exercise. But they said if I prefer gold, I could get gold. So, being not a native from that part of the world, it was pretty useless for me.
Okay, so, did you meet with this multi-millionaire directly in Turkey?
No. You always go through an agent. So, I don’t want to sound rude, but when you’re dealing with Middle Easterners, you don’t actually deal with the Middle Eastern guys. You deal with — I’ll say you deal with a white guy, because they don’t want to have any direct link to the foreigner. So, I met with an agent of the rich guy, and he was from South Africa, and him and I discuss what was required; targets…
Chris, this is not a normal incident response or engagement or exercise or whatever it is you called it. When I hear that they wanted this extra layer between the client and you, it makes me think that they want plausible deniability. So, if you get caught, they could be like, we don’t have any Aussies on our payroll. I’m not sure who you have,
but that’s not our problem, and they’ll just leave you in the dust. Do you see it that way, too?
See, the answer; yes. You are spot on. It was essentially one level removed, and the reason I hesitated with my language before about — talking about a white guy — we refer to them as skirt-wearers. So, the Middle Eastern with their long garb that they wear — so, a skirt-wearer will not meet a Western guy. So, there’s always a Western guy dealing with
a Western guy. That’s the language that we would use for these sort of assignments.
So, since this client has heard that Chris has done some mercenary-type work before, they wanted him to come investigate this theft, see if he can help them build a case against the guy who took it.
Spot on, and there’s parts of the world that essentially are the Wild West. So, the Middle East, for example, they do not give two shits about the law or that sort of stuff. So, if they need — even if you need to hack into a money to get their money returned, they’ll do it. You need to hack into the company; do it. It’s normal, and when
you’re dealing with government-sponsored stuff, it’s normal activity for them. So, don’t put your American brain on it. Think of it as like the Wild West.
[Music] Now, typically with a penetration test, you are given a scope, you know? Like, you can hack into this stuff, but don’t hack into that stuff. But he wasn’t given a scope.
He was told, by any means necessary, conduct your investigation. On a typical incident response, you’d be given some internal network access or at least access to some logs or documents to comb through to figure out what happened. But here’s the problem; all this company knew
was that they gave this money to an investment firm and they didn’t get what they expected. So, they wanted Chris to pretty much do the incident response by getting into that investment firm and combing through their logs and documents to try to find proof that
they did misappropriate this money or steal money or steal intellectual property. So, really, all they gave Chris was this suspected company’s name and the people who worked there. They were like, here’s our suspects. We don’t have any other details.
No. We got a list of names — so, there’s eight names — and what information they knew about them, whether it be phone numbers, personal e-mail addresses, work e-mail address, name of the company. Nothing else. It was completely then ‘earn your fucking money and get in by any means necessarily.’
So, the names you were given are the employees that work there?
Some in the company and some outside of the company, because the theory was that money was going into this company and then going out to another company, another investment firm, that was essentially going to steal the IP from the subsidiary and then launch another iteration of that with the IP and the funds that was coming from the original investment company.
So, what are your first steps? What do you get going? What do you do?
Yeah, so, the first step — so, we had a number of targets. It wasn’t a single
target. [Music] We had essentially eight targets on our list. So, essentially — we essentially map out the person, the internet-dumb research on who this person is, how they live their lives; LinkedIn, social media, all that sort of stuff, getting that sort of information, obviously phone numbers, e-mail addresses, physical addresses, and stuff like that,
and then Plan An attack. Like, who are we gonna go after first? Are we gonna go after the prime target first? I’ll use the guy — Bob, Bob and Alice is a easy one to use. So, in this case, we were — the prime target was Bob, but we had all these other targets like Alice and Jane and all that sort of stuff, and maybe we don’t go after Bob first. Maybe we map out
these other people first. So, when we do an exercise like this — and we’re talking big money. When we do exercises like this, we own — we don’t just send a blind e-mail and then just like, oh, they’re onto us or oh, we got in successfully. So, we’ll essentially own their whole world, so — and we talk about Level 1, Level 2, Level 3. So, Level 1 is their inner circle. In this case,
Bob’s wife, Bob’s kids, all that sort of stuff. Then you have a Layer 2, things like accountants, lawyers, gyms, all that sort of stuff for Level 2. Then you have the 3, the affiliates on the outside. So, we might target — in this case, we would target Level 3, Level 2 first. When I say ‘target’ — as in own e-mail. So, you could actually — if we sent an e-mail to Bob,
he would reply to it and wouldn’t think it’s dodgy, if that makes sense. Not from Leah. Dodgyidiot@Gmail. com — that’s actually a real person. So, we would target Level 3, Level 2, and then once we’re comfortable with all those assets — now, I know that sounds very exhaustive, but when you’re doing these sort of gigs, those Level 2, Level 3 come in handy down the track.
Whoa, this guy’s serious. I’ve told you many times, don’t open attachments on e-mails or click on links from texts from people you just don’t know. But what Chris is doing is he’s targeting people this guy Bob did know, getting into their e-mails and their network first so when it’s time to target Bob, he’ll be sent an e-mail from someone he does know,
and perhaps even a document that he’s been expecting. Like, for instance, if you get an e-mail from your doctor with the lab results included, that would likely be an attachment that you would think is safe to open. This is the kind of stuff that Chris was trying to do to avoid any suspicion that Bob is being hacked into or spied on. This, to me, has a level of sophistication
that I’m impressed by. Yeah, so, what made you interested in Bob as opposed to the other seven?
Bob was the boss. He was the — he’s the CEO. So, he’s target number one on our list. If you got a deck of — American deck of cards, he’s like the Ace of Hearts, if that makes sense.
Mm-hm. Okay, so, you were gonna start with him, and if you need more information, you’ll go down the line with the other…
Actually, no, we didn’t reverse order. Remember I talked about — we did a Level 3 first, Level 2, Level 1? So, we essentially start bottom-up because we want to have — you don’t want to send a blind e-mail. You need to understand. You need to read the e-mails and get the personality of Bob before you approach Bob. So, you need to know if Bob’s dealing with Jane,
what’s the normal language flow between Bob and Jane? So, you compromise Jane. You get the From e-mails from Bob so you can see the language and what time of day e-mails get sent, that sort of stuff. So, we do not do the first target until last, if that makes sense.
So, as Chris gets to know more about Bob, he starts hacking into everyone around Bob; [Music] their e-mails, their computers, their phones, their locations. This allows him to see who’s in Bob’s orbit, and how does communication
look between them? At the time, Chris had some really nice vulnerabilities in Adobe PDF Reader, and would send e-mails to someone and getting them to open the PDF, and that would allow him to install a remote-access Trojan and get access to their computer.
Yeah, so, in that case, the Adobe was enough to get probably four or five of the eight people and also the subsidiaries. So, a lot of the pen testers who listen to this will know that once you’ve got remote shell, it’s pretty much game over,
and it’s things like key loggers and stuff like that. But the more complex things that we did is — we didn’t have access to the investment firm that Bob was moving assets to or IP to, so…
[Music] So, it was time for Plan B. Plan A was to hack into the laptops of the employees of that company, but even though he could get the Trojan installed, he just couldn’t get a connection into their machine when they were in the office.
So, we wouldn’t get their shell — we wouldn’t get the shell returned to us. So, it was either some sort of egress back filtering that we couldn’t get an open shell. So, we would have PDFs being clicked on, but we couldn’t get a remote session from the target, so we had…
Walk me through what’s supposed to happen here. Is it Metasploit that you’ve used?
So, yes and no. In this case, we would use Metasploit as a pen tester, but we would do our own custom PDFs that we would run against AV. So, we would upload
it against VirusTotal to make sure nothing picked it up. So, we would send the PDF off, that when it was double-clicked, it would then remote connect back to us on a port; port 3, whatever that we thought would get back through an egress port back to us that would then essentially have a listener like Metasploit, but we would have our own listeners listening in this case.
He wanted to get into the company’s network. He was hoping there he’d find some file servers or something which could offer him more evidence of what got taken. This company was a small investment company and didn’t have a dedicated office, but instead was working out of a coworking type space, kind of like we work. But to break into an office in another country,
you really need to come prepared. You need all the plans; Plan A, Plan B, Plan C, and escape routes, too. This isn’t a mock exercise. This is playing for keeps, and potentially very dangerous.
The first plan never works. It’s just one of those things in life. It never works, so — and if it does, it’s like, man, that was the one-in chance — you’re right, multi-gear — it’s one of those things. You have to plan for the worst.
The goal was to get access to this company’s network, but where’s that company’s network and how do you get into it without being caught? This is where the more you know about that company, the better. [Music] He discovered this company had a Wi-Fi network set up in the building, and what’s more is the Wi-Fi they were running was using WEP encryption. This was years ago
when WEP wasn’t so uncommon. Today we use WPA, which is much more secure, but WEP had some vulnerabilities. If you could get a radio near the WEP Wi-Fi router, you could intercept enough beacons and packets to get on their Wi-Fi network. So, that was the goal; get in the building, get within range of their Wi-Fi router, and plant a device to listen to and capture the WEP packets.
We actually had to do custom-built stuff. So, I got an Italian motherboard — it was the tiniest motherboard at the time — and then built up my own Linux stack with Wi-Fi hacking and things like PuTTY and reverse-shell tools like Plink and stuff like that that we would use that we would plant close to the VC firm.
So, he loads up his kit full of cool gadgets and flies over to that country. You got any sort of way you dress up when you go out to these things?
Just a black or blue suit with a white shirt and tie. It’s just — even if it’s fifty-degree heat like in Kuwait, you just — that’s what you wear.
That’s not what a black hat hacker looks like.
I know, I know. Exactly right. So — yeah, so, a hoodie, all that sort of stuff, that doesn’t command respect over there, but suit guy over there in their eyes? Respect.
He goes to the office building and starts planning out how to get in.
That’s the easy part. A white guy in a suit with a laptop with, you know, someone holding lots of books, someone will open the door for them. You know what I mean? It’s one of those pen-testing stories that you’ve probably heard a million of, that people open doors for me.
Yeah, but that works in the US or even in Australia, but if you’re a white guy walking into a place with a bunch of people that don’t look the same, you’re not — now you’re out of place.
Your thinking’s right, but when a white — so, let me show — Middle-Eastern companies like a Westerner in there because these people have been trained outside of the Middle East. We trust them. They’ve been to Cambridge and MIT, all this sort of stuff. So, it comes with an inherent trust. You’re right, Jack; your thinking is, oh, the white guy sticks out of place, but no. Over there,
a white guy — you do what they say. Because if you’ve done any work in the Middle East, they employ the best German engineers and the best English financiers and stuff like that. It’s not unusual for a white guy to come and pretty much run the show, if that makes sense.
So, he’s let in the building no problem, and it’s a coworking space, which means there’s a lot of small businesses working out of this building, and he can use that to his advantage because everyone is used to seeing strangers roaming around.
Getting access to the building was really easy because it was — like you said, it was a coworking space, and then finding out that they were on a floor that had one of those communal kitchens — for us, it was easy as — I didn’t have to get past a reception or someone — what
are you doing here? It was essentially, go and making a coffee, pulling the microwave forward, sticking something behind it, and then, boom, we had a device planted in to get this last VC firm.
You said ‘we’ a few times. Who else is on your team?
Yeah, when we talk — when I’m talking about owning Level 3, Level 2, Level 1 targets, there might be twenty targets behind the scenes. We’re talking about Bob’s doctor, Bob’s lawyer, Bob’s accountant, Bob’s gym, in extreme cases, things like Bob’s bank. You can’t do that all by
yourself. That would be a year-long exercise and it’s not worth the effort. So, I always work in a team to do these activities just to make that load easier, if that makes sense.
[Music] Okay, so, it was fairly uneventful getting in, but he managed to slip in, go into their kitchen, go behind their microwave, plug in this little computer with an antenna, and then slip out of the building. Now him or his team can access this little device remotely, because it has its own cell connection so that he can just access it from anywhere
in the world. Their first goal is to get on the Wi-Fi network. To do that, they’re gonna have to crack the WEP protcol. They log into that little device and fire up a tool called Aircrack-ng. What this does is it intercepts as many Wi-Fi packets as it can. If you think about it, Wi-Fi is wireless, so the packets are just flying through the air
all over the place. It’s pretty easy to tune your antenna to just see them and grab them. Today’s modern WPA protocols make it so even though you can grab the packets out of the air, you can’t see what’s in them. But with WEP encryption, there are vulnerabilities in which you could grab enough packets to be able to decipher it and get into the Wi-Fi yourself, which is what
they did. After running Aircrack-ng long enough, they got their little device on the office Wi-Fi, which now they have a little machine on the inside giving them an inside look into their network. A network scan shows them a few devices that are there, and then they look at what ports are open on those systems, and then they can guess what devices those might be.
They find a file server which employees were using to store documents and such. Remember, this is an investment firm, so they’re managing a lot of money and have to maintain relationships with people and know which businesses they are invested in. So, all this must be documented somewhere, and this file server was exactly where it all was.
That’s correct. Then we had access to file servers and stuff like that, and e-mail servers, and that’s how we got into that company that we couldn’t get in through the whole remote-PDF stuff.
At this point, Chris has a huge amount of visibility into this investment firm and the suspects who might be stealing this money and intellectual property. He’s got a ridiculous
amount of listeners in place, full access to the network. Like, he can look at all the files on their file servers and e-mail servers; full access to some of the suspects’ computers through remote-access Trojans that were put on there, he’s able to see every e-mail in and out, and he also has keyloggers on their computers so he can see what their usernames and passwords
were. But he also has access to e-mails and computers with people around the suspects; family members, friends, doctors. He’s also looking to see what kind of bank accounts these people have just in case he needs to get in there and take a look to see where money’s going. So, with all this access, he starts finding stuff that the client might be interested in.
On file servers you’d start seeing folders, like a folder, and then we’re talking about — in the investment firm, you would see Bob’s — and then you would see things like IP and stuff like that, which we would then run past our client, saying, is this the sort of stuff that you’re worried about leaking into somebody else’s hands? Then
we would send that to our handler who’d say, yes, no, yes, keep targeting, that sort of stuff. So, you’re starting building a picture. This exercise went for a long time. I don’t want to exaggerate, but I think this one went for nine-plus months on this exercise. It was just a continual string. So, over that time, you’re reading every e-mail back
and forth. So, you would get all that sort of information and learning how they speak and how they think and proper language. So, you start piecing the puzzles together on what this guy is actually doing. Because — I’ll say this polite; we don’t give a shit what he’s doing. It’s essentially here’s what he’s doing, client. Is this what you want? Is this what you suspected?
There’s no emotion. Like, we don’t give a fuck. It’s just a job. Then we would give that; say, yes, no. How do you want us to proceed? Then go from there.
The client kept telling him he’s on the right track. Keep finding more details and send them over. Like he said, he maintained his access for quite a while as he gathered all this info. But he doesn’t want his presence to be detected, so he has to be very careful not to be seen.
[Music] So, essentially what we would do with a black-hat exercise — we might compromise eight targets around the world, and the last hop would be from the home country. So, for example, we might compromise a hotel in Pakistan and an Airbnb in India or in another country. Now, these countries don’t part — they don’t do forensics with each other. They’re
essentially at war with each other. So, you would hop your traffic across seas, and then the last hop would be — in this case it was — I think it was Kuwait. So, essentially, the last hop before the target would be a Kuwaiti IP, and we actually owned the telco at that stage in Kuwait, so it was essentially — didn’t really matter. Just got into AT&T.
What? What? My gosh, just to log in to their Gmail, you’re like, wait, we can’t do it from Australia. Let’s get over there and log in from there. I’ll tell you what; I got a plan. First we’re gonna hack into an Airbnb in Pakistan, and then we’re gonna hop over from there to hack into a telecom provider in that country, and then from the telecom provider, that’s when we’re — that sounds so crazy.
Yeah, and so — and it’s great — so, when you talk — like, when people talk about a little black book, we would essentially have a network of these compromised target — not the telco. Let’s leave the telco out. We would have a network or a path we could use when we want to do a hack job. We’re not doing it from the local McDonalds or from your home,
for example. So, we would have this rotating list of our own proxies. Not Tor or anything like that; our own targeted proxies to do the hops that we want. Like, we definitely want to do India, Pakistan, Sri Lanka, Bangladesh, ‘cause like I said, they hate each other. So, there’s no ‘can you give us your details for this activity’. Like, it’s not gonna happen. So, we would use the wars of the world that benefit us. So,
that would be our black book of targets. So, we always have, and when we’re not working, we would essentially find these targets for our next assignment. So, you always have that little black book of — like you’ve talked about before — tools. We would have compromised targets around the world that we were gonna bounce off. The telco was — just happened to be something that
I love working. I love hacking telcos. So, it was one of those things. It was gonna come in handy.
Gosh, so to carry out a task like this, he has to spend quite a bit of time and resources finding vulnerable systems around the world so he can hack into them only to use that system to jump over to another computer in the world. This way it’s impossible for anyone to track his route back to where he came from. But also, think about the fact that he has that little
computer behind the microwave in the office that he’s targeting. It’s on the same Wi-Fi as the people in that office, so he could use that computer to log into things like Gmail, which would appear to be the same IP those people are typically logging in from,
making Gmail think this is normal activity and not alert the user. After a while, Chris had collected and delivered enough evidence that the client called the police.
Yeah, so, the evidence was essentially what they suspected, that both money that had been sent to the company to build the company was being moved to both personal accounts and to that exist — to the outside investment firm, as well as IP that was created in the business. The subsidiary was being moved to another investment firm as essentially our collateral, our moat, for example. This is the data. So…
How did you find — where was that smoking gun…?
That was there. That was freaking everywhere. That was everywhere. These guys were operating like, again, the Wild West. They’re operating the e-mails, both Gmail, both company e-mails, file servers, everything. It was just — the evidence was everywhere.
It just took a while to put it all together and connect the dots, but…
Yeah, and remember, that was not our job. Our job was to present what we found, and then they were to go, is this…? ‘Cause we don’t care. Like I said before, I don’t want to sound nonchalant, but is this your shit? Yes, no? Do you want us to find more shit? No, we have all the shit we need. Go do your job. That’s how we operate because, again,
it’s not personal. We don’t care what the information — is this the right shit or are we on the wrong track? We just need to know.
Now, the payment for this, was it sufficient? ‘Cause I can imagine them saying, here’s a briefcase of money, and then you’re like, well, dude, that — okay, we’ve been working on this for three months. If you want us to get more, we need another briefcase.
Yeah, we don’t — how we operate is we will have a initial fee, a finalization fee, and then we will have what we call an ongoing fee. So, yeah, the jobs like this, we’d like to have
over within a month. So, initial fee, completion fee, but if you want us to continue to monitor these eight people and this outside company, you’re gonna have to have a monthly charge, almost like a subscription model, where they would pay to just point out what’s going on in these people’s lives. So, you don’t want them to think they’re idiots. So,
you’ll put a quote in front of them and they’ll say, we agree to that quote. You better stand by that quote. You know what I mean? If you want referral jobs going forward, like if you said half a mil or a mil or two mil, whatever you quote, you stick to that. You don’t say we need more. You make it crystal clear, ‘cause this is — again, this is repeat business that you want.
Yeah, I’m just starting to put the picture together of how much you charge versus how much they’re losing. It’s worth more to them to pay a million or two million to you, and if they’re gonna recover what? How much money do you think was being stolen here?
In this case I know exactly how much money was being stolen. I think it was 2.5 US or 2.75 USA million dollars in this case, but you gotta think — when you’re in business, Jack — I know you’re in business, but when you’re working with a customer, their initial first-year spend might be — let’s say it’s half a million dollars for the initial spend. Once they see how
useful you are and then you do repeat business, it’s like, it’s an investment firm. They’re always investing shit. So, they’re always gonna want to use your services down the track. So, you might do — it’s a bit like a drug dealer. Like, you might give them a taster for a half mil, and the
next job’s gonna be worth two. You know what I mean? You just — they know your worth, they know your style, and then you know you’re gonna get repeat business with higher stakes.
I mean, he’s dealing with wealthy people here, billionaires, oil money. If he can prove that he’s the go-to person to these folks, yeah, these could be long-term customers of his. In this case, they were very happy with him. They got enough evidence to take action on this thief.
They then got lawyers involved from their side. They had to be really careful about what they presented to the lawyers, but it was ‘we believe XYX’, and then get the police to arrest the ringleader, Bob, at that moment. So, that was essentially their goal, to get him in jail, ‘cause they took it personally. They were — like I said to you, you gotta treat them with respect, and if you disrespect them,
then they get really emotive. Then, for them, jail was the worst case of action for them.
Okay, the story’s over, right? They found — you found the thief. They put them — him in jail.
Yeah, so, Jack, the story’s not over there. [Music] This is where it gets exciting, so…
[Laughs] Stay with us. We’re gonna take an ad break, but it’s gonna get exciting after that. There was enough evidence to prove that this guy Bob stole the money and the intellectual property, but they told Chris they were worried about the money.
The customer were worried that Bob was gonna use that money as a defense. He was gonna get on — all this money, shapiro lawyers to fight his case, and use the funds that he’d stolen to fund that exercise.
So they asked Chris, get us back that stolen money. Do your job as a hacker by any means necessary and return the money to us, which in my opinion is crazy, because why not just have the police return the money?
They didn’t want to wait, because you’re thinking American system, not Middle-Eastern system. They didn’t want to fuck around with that sort of stuff. They didn’t want to go through ‘we want the money, we want this, we want’ — and then put a brief together, stuff like that. They don’t roll that way.
So, his objective was clear; get into this guy’s bank account while he’s in jail and move the money out. This job has essentially turned into a bank heist at this point, and it seems to me that Chris doesn’t have any moral concerns about robbing a bank.
No, no, no. Jack, I listen to a lot of your sessions, and that comes up quite a lot. I don’t have that boundary. Does that make sense? So, for me…
Well, so, — okay, so, this doesn’t make sense just economically, right? So, if somebody pays you $50,000 to go get a million dollars out of a bank account, why don’t you just go get the million dollars and be like, you know what? Forget you. I’m just gonna go steal my own money. I don’t need…
Yeah, and that’s actually happened on jobs before where you take your share as well, but…
[Laughs]
So, in our case, remember, we were returning the funds. We didn’t return the funds and a little bit extra. Yes, we could have taken money from somebody else’s account, but that raises flags, okay? So, we were essentially returning the money that was stolen. So, there’s no actual victim. Does that make sense? The money was returned to the rightful person, but…
Yeah, it does make sense. Okay…
And remember, we’re after repeat work and word-of-mouth, which is how they work over there.
[Laughs] Here’s my card.
It’s like building a business.
[Laughs] Okay, so, you accept this job to get the money back. Now, how’d you do it? How’d you get the money back?
[Music] We compromised the bank, which was pretty easy. So, we essentially used the same sort techniques; PDFs inside, going to the core banking system, finding out the internal — where their internet banking web servers were, replacing the front page to actually log all the usernames and passwords and two-factors, and then we would have a log file of all these name, passwords, and two-factor.
Oh, so what he just said was that he found a bank employee, sent them a phishing e-mail, got them to open a PDF which planted a Trojan on their computer, and then he was able to get into their computer, and from there he hopped into the server of the bank’s network, and from that he was able to find the front-end web server for the online banking,
and he configured the online banking site so that anyone who logged in, their username and password would be stored in a log file so that he could see it. But on top of that, he was also logging two-factor authentication codes that people are entering. This is incredible. Well, he’s only trying to get access to a single user account. He’s basically accessed all the bank
users who logged in during that window while he was watching. I just can’t believe this guy.
I suppose the question is, why are you surprised, Jack? You’ve talked to people for years and you know the pen-tested are out there that people can talk about. It’s fucking normal. You do know, but you don’t — you would not believe how shit banks are locally and internationally, like the shit security that they have out there that is just — if there was more bad people in the world, there’d be more banks getting done.
Well, I guess maybe that’s why I’m surprised, is because the hackers of the world is the immune system for all these banks, right? So, well, you got a shit security bank, okay, well, there’s a million hackers out there that are going to fix that for you real quick.
Yeah, exactly, right? The thing is, Jack, you might have a million hackers; 800,000 of those are just new to the industry, the 0 to 5. Then you — if you then look at the bell curve of people who are getting into the banks, there’s — I’ll just say a thousand for
argument’s sake, but it’s a smaller number that you need to protect against. But Jack, I’ve seen some banks that when I’ve gone in — and I’ve gone into AD and have a look at Joe Smith, and it has a description of where they work, and what they put in the description was the user’s password.
So, password1 or password2 in clear text in the descriptive field of the LDAP field, because when someone rang up and said, oh, I forgot my password, they’d just read out the description tool from the LDAP. I couldn’t fucking believe it. So, they would have everyone’s password on a list and just read off it. If anyone knows anything about LDAP, you can just query that.
But that’s the shit that we see as a pen tester and as a black hat. We’ve done banks, Jack, where we’ve seen other hackers in the bank itself. Like, there’s just fucking hackers right beside us.
Wait; then you’re like, hey, I recognize you. I’ve seen you at Defcon.
Well, exactly right, and the beauty of stuff like that is you work around each other. No one wants to lose…
This is like that Beastie Boys video, Paul Revere. You know that song? Where they’re just hanging out at the bar and then suddenly the one guy is like, I’m gonna rob this place; you in? Yeah, I’m in. Let’s…
Exactly, and you don’t know why they’re there. You don’t know if it’s government, if it’s other hackers, or whatever it is. You just work around each other. The beauty is if you do find tools that they’re using, you take a copy of those tools, ‘cause we can
then use those tools to plant on another target’s side so they get the blame for it, not us. So, you look at the techniques that they’re using, whether — today we use APT groups, stuff like
signatures. You’ll create those signatures and you’ll plant them somewhere else. So, you might compromise a target, format the disk — before you format the disk, throw the tools on, format it, and then all of a sudden, someone — some Deloitte guy runs in case and goes, oh, I can see some deleted tool kit. It must be this group. Then they get the blame for it.
Oh my gosh, did you hear that? If Chris really wants to hide his tracks, he’ll plant evidence on servers which makes it look like some nation-state hackers were there, which throws off investigators who are on his trail. He only knows what tools that some of these other hackers use because in the past he spotted them on the same servers that he’s hacked into and watched what they’ve done. Okay,
so, you got to the web page. You were able to see this target; Bob’s username, password, two-factor authentication code, and were you able to log in and transfer his money out with this?
No, because when you did a transfer, it then asked for your two-factor indication code again. Now, the problem we had is fucking Bob’s in jail at this stage, so he doesn’t have access to his texts.
Oh, right. How’s he gonna do online banking from jail? They managed to get his username and password and were able to log into his account before he went to jail, but there’s this problem with the 2FA code now. So, the — when you go to wire the money out, it asks you for another two-factor authentication.
Correct. This bank did, yes.
And you didn’t have a way to get that second one.
No, because we had the session live, so — we kept that session live so it wouldn’t log us out when we got access before he went to jail. But when it then asked for another transfer, it did a ‘oh, you need another code to do that transfer’, so we couldn’t move that money out.
God, you’re insane. Okay, so, Plan A failed. How do you do it?
Yeah, so Plan A failed, and I don’t want to sound like the glass is half-full, but it was enough to prove that the money was all — not the whole money, but a good portion of the money was still there. Bob obviously had some expenses. So, at this stage, remember, we had already compromised the bank itself. So, it was just essentially going in as a teller.
[Music] When you’re a bank teller, you’re god. You can do whatever the fuck you want, so — and if a bank teller doesn’t have the rights, you can be treasurer. You already own the bank. You can move up horizontally, vertically, to get the guy’s access to move the money.
Huh, interesting. If he can pose as a bank teller, get the access they have — they have the power to conduct any transfer they want. Keep in mind, Chris spent ten years working in the banking sector, so he knows exactly how banks operate. Step one; comb through the directory
of employees. Find which ones are the tellers, then find which ones have remote access to the bank where they can do work-from-home stuff, maybe like phone support or something, then grab their username and hash and crack the hash, and now you can log in as that teller and move money around, which is exactly what he did. As a teller, he transferred Bob’s money out into another account.
So, remember we talked about 2.75 and I was fumbling over the 2.75 and 2.5? Essentially we recovered the 2.5, but the original was 2.75.
$2.5 million were taken from that guy’s account while he was in jail. Crazy. This is black hat, bank robbery type stuff. Now I’m starting to put it all together on what he means when he says he doesn’t care if he does illegal black hat type hacking. He’s like a mercenary hacker for hire, you know? Maybe that makes him gray hat, where, yes, it’s illegal, but he’s helping someone find
a bad guy. But what I don’t get is why the bank didn’t raise alarm bells from all this. Like, if $2.5 million got transferred out of the bank in a very suspicious manner, you’d think they’d launch a full-on investigation like bring in the teller who did this transfer and ask them a bunch of questions and look through the security logs for any unusual activity, and
if they noticed all the usernames and passwords were being stored in the logs, then that’s a data breach that should be disclosed to their customers and maybe impact their share price or something.
Yeah, so, you raise good points. In my world, there’s people to make transfers disappear. So, in my world, I can contact — I’ve got bank accounts that I can use that can be scrubbed on the other end in the Swift network to say that that didn’t exist. Then it goes through a laundering process where that money is cleaned over a nine-month period,
so that money gets returned. So, in there — the answer to your question is, in Bob’s case, no one gave a shit. Bob had money in his account and all his money was returned, so there is no victim. Does that make sense? Bob stole the money; the money got returned. There’s no one whinging at the bank, where’s my money?
Huh, since nobody complained the money was stolen, then maybe nobody ever investigated this, which means they don’t have to hide the money trail, either. He was preparing to wire the money to a bank where he can launder it and have it come out clean, but since this money rightfully belonged to the client, they didn’t think he needed to go through all the hassle of cleaning the money.
No, in this case we didn’t need to. It was just transferred back to the investment firm. So, it was just like, from Bob to investment firm. It’s been returned. It’s been misallocated, misappropriated, and it’s been returned.
How wild. Somehow this all slipped past the bank. Perhaps later they saw this but never came public about it or reversed the transfer, and maybe it was because Bob was in jail and never complained about it, or maybe they wanted to avoid embarrassment of being hacked, or maybe it was because they saw where the money went and it was to a very influential person who they didn’t
want to disturb or ask questions about. Or maybe they did ask that person questions and that person simply said, yeah, the money was stolen by Bob, who’s now in jail, and here’s the police report. Thank you so much for reversing the charge. This whole thing’s just got my brain up in knots.
This method here, we could have created a fake teller and just done a ‘copy user’ and then ‘replace’ and then just done the transfer that way, but we knew we didn’t have to. The fact that the customer just wanted their money returned to their bank account and not a washing
station like a laundromat, then it was just — that it was just, who gives a shit? We didn’t have to do any — we didn’t have to delete the user, we didn’t have to delete the transactions…
I guess what I’m wondering also is if this going back to the appropriate person, then why can’t — the person, your client, is a very influential person in the region. Why can’t they just go to the bank and be like, ‘listen, I found the guy who stole this money. We need to reverse the charge. Just do this. This is a legitimate reverse’?
That’s a great question. What we — all I can tell you is what we were told. We’re told there were — they feared that that money was gonna be — if the money was there, which it was, the money was gonna be used as — in a court process, like it was gonna be a strung-out, two-to-three-year court trial, and nobody used those funds. So, the time that they got that
money back, they would — the bank said, you need a court order. Can you prove it? Blah, blah, blah. They were worried about that. Now, whether they could have just overridden that, I don’t know, but in their head, that’s what they were worried about.
So, keep in mind who we’re dealing with here. This guy we’re calling Bob has the guts to steal money from an investment firm owned by a super-rich guy. Even though Bob got caught, he’s still pretty smart, so he’s probably got a plan for when all this goes wrong. So, it’s important for Chris to keep eyes on him as he goes to jail. So, he watches who Bob is messaging and what’s he up to.
[Music] Look, he’s the kind of guy that — I actually have respect for this guy because he’s pretty cunning. Because I’ve been reading his e-mails, I knew him so well inside and out. You know what it’s like when you’re reading — or maybe you don’t, Jack, but you know when you read someone’s e-mails, you have a relationship with them whether — they don’t know it,
but you actually know them inside and out. So, yeah, Bob’s quite crafty. But Bob used the ‘I am ill’ card, and he worked with his doctor to get a bail hearing, that he could get out on bail while this case is going forward. So, he was essentially in jail for a week, and then the doctors were — ‘my client is sick’ note, which we could verify because we talked
about Level 2 and Level 3. We had access to his doctor, so we could actually see what was going on, that he used his doctor to get him — to get him to get out of jail after two weeks in jail. What happened is we were reading some of the e-mails when he was in jail, obviously, and then outside of jail, and his language changed. He almost — like he was putting it
on. You know when you’re an actor, you act, and when you’re not acting, you look like an idiot. Bob was essentially — it looked like he was acting in his e-mails. I said to the customer, this is not normal e-mails that he’s sending out. Like, he was going on fishing trips. He was planning a
fishing trip, and the cunt had never been fishing. You know what I mean? It was these — all these sort of, I’m gonna be here at this time, and it was too much information that I think, he’s on. He knows that you’re — we’re reading his e-mails and he’s putting it on. I said, look, this guy’s a flight risk. They basically went, no, no, no, he’s fine. We got his passport and blah, blah, blah.
So, because Chris had such a deep level of visibility into Bob, he watched him closely to see where he was going.
Bob didn’t actually go fishing. He was smuggled across the border in a bloody burka. We tracked his headers of his IP, saying, look, the guy’s not even in the fucking country anymore. You guys think he’s there. He’s not. He’s in Oman. So, all this shit talk about ‘we’ve got your passport, he’s not going anywhere’,
and he actually escaped the system on a second passport. Because this was in real time over maybe a twelve-hour period — I’ll say twenty-four-hour period, essentially the guy was moving fast; car — he was in a car. We later found out that he was in a boot, and then he went into the back seat with a burka, and then he hopped a border and then got on — he had another passport and then he
used that. But because we had the IP headers, we could see where he actually was. He was — I’m not saying he’s stupid because a lot of people don’t — in that world don’t understand IP headers, but…
You were in his phone?
No. He was sending e-mails out from his device.
Okay.
I’ll make that clear. Normally we do get into phones, but this case wasn’t a phone. It was just e-mail headers, not IP. Don’t get me wrong; I don’t normally talk about this, but sometimes we will send a ping packet. So, you get the odd SMS and — you know, Jack, you’ll get an SMS and
you’ll click on it; your UPS mail is late. You’ll click on it and go, oh, it’s just some fucking scam that’s asking for my username and password. But what it does is just tracks your location from your phone. We used that a couple of times on this project, but it wasn’t a tool that was needed. Does that make sense? We had enough from the IP headers that we didn’t need a GPS location.
Once Bob left the country, there was nothing Chris’ client could really do about it. So they said, thanks for letting us know. I guess that’s it, then. Here’s your final payment.
That’s the end of the engagement.
Weird question; have you ever killed anybody?
Only virtually.
Yeah, virtually.
The answer’s gonna be ‘no’ on this podcast, Jack.
[Laughs]
Have I birthed anybody? That’s another story.
You have many kids.
I have many kids, I have many kids.
See, the thing that put Chris Rock on my radar is a talk he gave at Defcon in 2015, titled I Will Kill You. In this talk, he explains exactly how to use hacking to kill someone.
Part of my career as a pen tester, mercenary, SIEM founder, is research, and one of my first Defcon talks was — I was watching the news in Australia, and one of the — the news report was a hospital accidentally sent out two hundred death notices
instead of two hundred discharge notices. I went, what the fuck? How is that even possible? Then that led me down the rabbit warren of researching the death industry, the medical component and the funeral-director component, on how the system has moved online and the flaws involved where you could actually physically create a real person, like a fake person, and how you could kill them.
Okay, so, walk us through this step-by-step how to kill someone.
Yeah, so, in America — okay, it’s very similar around the world, but in the US, they have — they used to have a paper-based system where the funeral director would fill out half the form on how the person died or where the person died, like where they’re buried and all that sort of stuff, next of kin, and the doctor would fill out the first part of the form which is the cause
of death and those sort of details, name of the victim and then how they died. That one piece of paper would go into essentially the birth, deaths, and marriages system, and then that person would
be declared dead. What’s happened now — that’s moved online, so when somebody dies, the process is the doctor will log into a US system called EDRS, log on with their username and password, and actually put in what caused the person to die, a pulmonary embolism or whatever, heart failure, that sort of stuff, and then that information would then pass to the funeral director.
The funeral director would complete their part; again, username and password to log in, and that would form the death certificate in the EDRS system. Now, the flaw in the system is — both the medical and the funeral-director component is if you want to be registered to declare people dead, you put in your license number, your medical license number, and your
office address. Now, if anyone’s looked up a doctor before to see if they’re a real doctor, all their shit’s online. There’s databases all around the world to say whether — your doctor’s license and practice, their registration number, and their office number. So, you could register yourself as a doctor and then you could then — you could actually kill
somebody off the first part. Again, with the funeral director component, it’s pretty much the same as a doctor where you can declare yourself a funeral director and form the second part of that form to kill somebody off and get a death certificate.
Why would you want to kill someone?
Well, there’s multiple reasons why you’d want to kill someone. First of all, if you want to kill your parent, for example, like you’re waiting for their will but they’re not giving you the money, you could actually kill them off. You could kill your boss. Your boss is being an asshole; you could kill him just to fuck with them,
or if you’re under investigation. So, you’ve got prosecution and judges and all that sort of stuff; you could actually kill them off to make their life more difficult.
Oh, my gosh. You’re ridiculous. So, you’re saying this flaw in the death system can also be done in the birth system?
Yeah, so, it’s exactly the same. Well, it’s a different system but exactly the same as EDRS for deaths. You need two parties. So, you need the doctor or midwife and you need the parents — the name of the child, the weight of the child, and stuff like that. So, the two parts will then make the birth certificate very similar to the
funeral director and the doctor making the death certificate. If you have a home birth, you may not even have a midwife. So, it’s something actually done by the parents. So,
once you have an online system, you have a birth certificate, that person’s then born. So, in theory, you can create fake children and then when they hit a certain age, you could kill them off and get their life insurance, their credit, and all that sort of stuff.
You double — you do both of the things. Well, I was — I really like this idea of making a fake persona to use as a second identity in case I’ve embezzled some money from a Middle-Eastern millionaire and I need to leave the country.
Exactly, Jack. You think, why have one when you can have a hundred? So, you can have a hundred fake people that have different credit, and so, if you screw up your life and you go to jail and you have to come out and you go get another job or whatever, you have another clean identity,
like another virtual ID, and it’s real. It’s not like someone entered it in the back end. It’s actually a registered person that you can have. I suggest you keep yourself looking young because you might create someone who’s zero, and then — but there’s little flaws in the system as well, and I’ve made mention that they don’t want people going through life without being recorded. So,
you have up ‘til age of five to get yourself registered. So, if you have — you can take five years off your virtual person by registering five years after they’re born, ‘cause they want to capture people as they go into the school system, and they don’t want them to be
prevented from going to school or getting a driver’s license and stuff like that. So, you don’t have to register a baby at zero. You can register them at five as well.
You know, when I saw you do this talk at Defcon, I was so surprised that the governments haven’t knocked on your door and said, hey, would you shut up about this? You can’t just go making — killing people and making babies that are not real. You’re teaching people to do bad things.
Yeah, so, the government haven’t done shit. They’ve even seen my talk. Now, my talk was done nine years ago, Jack. So, the same flaws exist today. Nothing’s changed.
If you’re intrigued to know more about how to kill someone like a hacker, go to YouTube and type in ‘Chris Rock Defcon’. He actually has given three talks at Defcon and
they’re all phenomenal. In the second talk he explains how to overthrow a government, and I have a sticking suspicion that he’s actually done it or was very much involved with overthrowing a government in the past. Let me know if you liked him and you want
me to have him back on and tell that story. His other talk is about how to bypass radio jammers in case someone’s trying to jam your cell phone, and he’ll show you how to get through it anyway.