Soaring Through Cybersecurity: Indoor Skydiving and Pen Testing with Brian Johnson

Speaker 1: 0:00

Let's jump into it, brian, awesome to have you on here on the audit, hanging out with us, here, with Nick Mellum you might have met Nick in person a while ago. Oh yeah, and Josh. So thanks for jumping on. I know we've been trying to do this for a while, but you're the inspiration behind even doing this podcast. So, again, thank you for that. You and I need to get together in the near future, have coffee again, go indoor skydiving again. I don't know what happened. I just I fell off a cliff, uh, but uh, it took the podcast to get us back together. So, um, anyway, thanks for coming on real quick.

Speaker 2: 0:43

Did you guys actually go indoor skydiving together?

Speaker 1: 0:46

We did. Yeah, Brian is a master at it, Like I mean he just did, do you?

Speaker 2: 0:53

It's called iSkydive or something like that, or iDive, or iFly, ifly.

Speaker 1: 0:58

No, he's going front to back now. He's all over the place. He's in there all over. Yeah, he's all over the place. He's in there all over. Yeah, he's all over.

Speaker 1: 1:06

Uh, it sounds easy, right. Like, oh, yeah, you know, you throw on this dirty suit that they give you and like this dirty helmet, and then you know they spin the wind up like 200 miles an hour or whatever, and then, like they start you out, like laying on this net and this wind blowing up, and you're just supposed to hover there and I think I could get that down pretty good, and then after that they flip you over on your back and that, let's be honest, that takes about three or four weeks, right Cause, like, get that part down, yeah, and I mean you're, you're paying $30 a minute or something crazy. And like you're in there for like 90 seconds, right, like you know. So, brian and I, you know, when we started doing it, there was like five other people in there and it's like little kids like they go in for 30 seconds with the instructor, they pull them out and then you go in, right, you're doing your thing, and it's like a full body workout, yeah, because you're using your core and all this stuff.

Speaker 1: 2:02

So then you know you're using your core and all this stuff. So then you know you're floating on your belly and they're like, okay, you know, hover sideways, go up, go down. And you know you're doing it all by controlling your body movements. So then Brian and I got the idea. We're like, look, we want to come in here for a half hour and we don't want anybody else, we want a private lesson, right? So now we got the whole tube to ourselves, right. And, like you know, we're in and out every two minutes doing our thing. Uh, and then I think one of us went on vacation it was probably me and um, then, when, when, when I came back, um, brian's all advanced, he's on his back. You know, he's doing the whole thing. They get me on the back, I'm flying into the wall and I'm like, man, I could get a neck injury, I. This is no good, so, but I do need to get back to it, brian. Um, or what are you doing now? Are you walking on the wall and stuff?

Speaker 4: 2:53

yeah, like I'm, I'm teaching there like part time. See, are you?

Speaker 2: 2:57

serious? Oh, I would have believed you, yeah he's, he is yeah I haven't.

Speaker 4: 3:03

I haven't gone quite as much either, but I've been working on. Oh, what I'm working on is, yeah, you're flying on your back and you kind of kick your heels and thrust yourself forward and you're going to get into the sit-fly position. It's kind of like at the beginning of the Matrix, when they got Trinity cornered and she's like, yeah, I'm going to surrender, and then does like this kind of thing right before the guy in the face.

Speaker 4: 3:28

I love it. So I call it the trinity and I've had it. You talk about burning money. Yeah, whatever, it is 30 bucks a minute. I don't know how many minutes I've spent not doing it, but I locked into it for like six seconds one time and it was like the most amazing thing it's like nirvana, yeah you've thrown money into this tube and watch it blow away. But it's just like the. The relaxation and the stress release I get from it is uh, yeah it's.

Speaker 2: 3:55

Have you gotten real skydiving?

Speaker 4: 3:57

I've not. I went down. So I took a vacation a few months ago to to arizona and they have a big, they have like a compound there. You can go and pay some big amount of money and do like unlimited jumps for a day or whatever. But they had a skydive tube right next to it. So I I went with a instructor and did some work there. But that tube is kind of funny because it's it sucks in uh, it sucks in air from the outside and pulls it in. So you're, you're flying along and then you know bug squirts onto the you know visor and stuff. So it's like 40 environmental.

Speaker 4: 4:29

Yeah, it's like. It's like a real, the real almost. I mean it's one step closer to the real thing, you know. But um, it did make me. By the time I watched people, you know, kind of do it for a couple hours while we were eating. I was like I kind of want to do this, but also I don't want that to be how I get a severe neck injury. But I could get that in the tube too.

Speaker 4: 4:49

So I'm kind of what state was that in, that was in that was in arizona in eloy is where this is it is.

Speaker 4: 4:55

It is. It's a big compound and they got people come and they set up their tents and their trailers and they stay there. Someone would stay there for like a week and they just jump all day. Take a lunch break, jump, jump, jump. That's cool. They've got planes continually taking off and you'll see the little dots in the sky and then you kind of lose track of them and all of a sudden they all pop their chute and then they start dropping right in front of you.

Speaker 1: 5:17

That's super cool, pretty cool to watch A lot of these instructors in the tube at least the one here that we were going in like they skydive, like that's their jam, right, and then they're teaching. They have to go through these courses to teach. But I was surprised at the number of instructors that were injured Right Like, because they have to. They have to sometimes catch a person who might have lost it Right to. They have to sometimes catch a person who might have lost it right. So you have, like this you know 130 pound woman who's an instructor, and then you got this 200 pound dude who's up 10 feet and loses it and she's got to catch him so he doesn't break his neck and then her shoulders torn. I think that happened like three or four people in there her insurance has got to be crazy that.

Speaker 4: 6:02

yeah, eric and I sat down one time, just tried to spitball the costs, right, and we're just like how does this? They got to be doing criminal stuff on this side because how can you afford, even at the 30 bucks a minute, right, you just go like all the insurance, energy, uh, all that stuff. But yeah, we had to do the couple summers ago. Yeah, exactly what eric said. He got up, got a little out of control and and the worst thing you want to do, like if you're flying like this, the worst thing you want to do is get like this, because then you just drop out of the sky and some guy got up there, kind of went vertical and started to want to catch him and then it tore 98% of his bicep because his arm bent the other way and he's out. I haven't seen him for years and he's kind of like he's done what I trained to do.

Speaker 4: 6:47

Uh, what do I do now? And I think you're trying to fix.

Speaker 2: 6:51

You're on to something, brian. There might be up to some criminal activities. They might be the ones that are sending us phishing emails asking for gift cards it could be and I'll tell you what.

Speaker 4: 7:00

So at the end of your uh flying you can go up to them if you bring a USB drive and they'll put your movies on that you take it. So Eric and I are always like, oh, I don't like the whole you plugging in a random USB drive from me into your systems. But even worse, I don't know if this was happening, eric, when you and I were there. But now they just go, hey, just go into the back room to this domain joined machine, just throw your device in there and uh and grab your videos. And it's so tempting like maybe I'll just try like a little bit of a pen test here, but yeah, obviously wouldn't you know?

Speaker 2: 7:37

you heard here first folks when we were there.

Speaker 1: 7:40

I remember you know they yeah, come around behind the counter, put it in. And we go behind the counter. Brian and I swear they had yellow sticky right. I mean this is like the comical stuff Yellow sticky password on the screen. We're just looking at each other like are we in the twilight zone here?

Speaker 4: 7:59

Yeah, and not too worried about it. But again, you know how many organizations, at least from a physical security standpoint. That's the thing. You get one step past the receptionist and it's like, oh hello, everybody with your monitor farm Like, oh, sticky here and I'll take one there and I'll grab one there, and wow, that's the HR system and you know banks and all kinds of good stuff right here.

Speaker 3: 8:18

Brian, that was a nice segue into the topic today that we can hopefully oh, josh, we're gonna derail your topic, josh you're gonna try to keep us locked in brian oh, man, yeah, and I'm using that guy.

Speaker 4: 8:31

This is a nice, this is he really is.

Speaker 1: 8:33

He's really driving us. Hold on one sec, josh. Uh, I did want to say, though, brian, what you're on like podcast 680, some right. So strong plug out to Brian. We definitely we got a link out to it.

Speaker 1: 8:51

Brian, you've got an awesome podcast seven minutes security. The premise is what can you? I think the premise started about you know what can you do in seven minutes? Right Around seven minutes security. But you do so much more than the podcast, and I also wanted to talk to you about this too, about your training. Right, you have an awesome um training curriculum that you do, and I don't know what you do like eight or 10 people at a time. Um, I've got, I think, three or four people. I want to get into the next one if you're ready to go, but everybody that's taken it has said that it's just an awesome class. It's great An intro into Windows, active Directory and kind of that corporate security breaching, so really good stuff. The security teams that I work with at customers I always recommend. You know you got to take this class, so let's do a seven minute one and just talk about a security thing. That's kind of what, what?

Speaker 4: 10:07

what it was for a long time, where I was a long time it secure, uh, it, you know, network admin, sysadmin type and got into security. My first gig about 2013 or so and it was just trial by fire throw us into everything. So it's like, hey, monday you're going to do an incident response for a little bit and then tomorrow you'll be writing policies and then after that it'll be onto vulnerability assessments and pen testing. And it was just like man, I'm drowning, but I'm also kind of loving it. So I'm going to start this little short podcast. As I drive from customer A to B, I'm going to quick do a brain dump on this cool vulnerability assessment tool I learned about called Nessus, and let me just tell you about that and what it costs and what it does and blah, blah, blah.

Speaker 4: 10:52

And then just kind of kept that up for several years and then just gradually just got to the point where the topics and I started adding interviews and just a lot more things and it was just harder and harder to cram things into seven minutes. But, um, you know, I've kind of had the the name as both the podcast and the business for so long. It's kind of too hard to go back and change it. But uh, my buddies just joke it. You know you should really rename it the arbitrary length security, because we just never know, um, what you know what we're going to get. And yeah, I appreciate you plugging the training.

Speaker 4: 11:26

That's something we have offered about four times a year now and yeah, we keep it really small classes, but it's three half days, so three four hour chunks and you don't need to bring anything, we just let you remote right into a domain environment that looks, lives, breathes, just like a real environment you would attack in the wild and together we go through enumerating it, attacking it, escalating privileges, all this stuff, and I've long said it is by far like the biggest work, labor of love I've ever had because, as you can imagine, something like that takes a ton of time. When you're building something intentionally broken, with problems right, and you want people to break it just enough to abuse it but not make it cease to function, that's kind of a delicate dance. So it was an awesome learning opportunity. But I always tell people, whenever I bring students to the class who haven't done something like this, I feel like the guy who's seen a super good movie or read a really good book and I know where all the best parts are.

Speaker 4: 12:33

It's like, oh, I can't wait to see your reaction when we get to this next part where you get to be domain admin. Some people are just like their minds are blown and they're like, okay, I'm quitting what I used to do for security and I'm in a pen tester, like they get that, you know kind of that glow of like you know really doing it for reals and um, for reals.

Speaker 1: 12:54

Kind of like when you had that chair flying experience, right, you know like you got it for six seconds and you're you're locked in.

Speaker 4: 13:00

Exactly, yeah, yeah, yeah, the, the, the, the Trinity, and oh, I just have to say, related to that, I also that whole Trinity thing that I'm working on. The other thing I've had in the tunnel and I kind of feel it sometimes during pen testing is there's one movie, learn in the skydiving, where I don't know if you got to do maybe you did this to Eric you you're on your back and you, when it's time to get out of the tunnel, you fly over, you stick your feet into where there's no air and then you kind of arch your back and you just up into a standing position and walk away and it just feels like I wish I could do that in real life. A little hard to do on carpet, obviously, but if that's how I could enter and exit, that's what I would do.

Speaker 1: 13:43

Josh is going to have to come on your podcast to get what he wants to say in, so maybe you can have Josh on at some point. The other thing you mentioned movies, brian, and it turns out you're a little bit of a movie star.

Speaker 4: 13:56

That's, that is correct. I was Christmas caroler number six in the 1996 holiday comedy smash jingle all the way with Arnold Schwarzenegger. Yes, so I was in high school at the time and, yeah, they held auditions for a Christmas Caroler group to be part of the scene where Arnold is breaking into Phil Hartman's house and stealing this Turbo man doll. That's kind of like the toy every, every family wants, uh, for the holidays. Um, so we went yeah, it was just a crazy thing. We went and interviewed and, um, it was one of those like great thanks for the audition. You know, don't call us, we'll call you if you uh, if you make it. And uh, it was like a couple weeks later I was at my after-school job and my then girlfriend, now wife, uh, called me at work and I was like, oh, hey, I can't talk right now. I'm at work and she goes. We have to be in St Paul for a costume fitting in two hours. I'm like costume fitting.

Speaker 4: 14:52

She's like we made the movie this is the real deal and just off like that into the land of Hollywood for about a week to go to a recording studio and record the vocals and then do a couple of days on set and man, I'll tell you what. I don't want to derail us too much, but I can see why people get addicted to that lifestyle. Where you've got I mean, even at our little part we had people who were just assigned to kind of be our assistants and be like you know is the sun too bright, you know.

Speaker 4: 15:17

do you need any? Any sunglasses, I'll bring down it. You hungry, you look hungry, should I bring you? And then let's touch up the makeup and all the stuff. I'm like, well, yeah, a guy could get used to this.

Speaker 2: 15:28

But that was a real handler. It was a handler, yeah, yeah.

Speaker 4: 15:31

But that was the beginning and end, unfortunately. But you still get paid, still get. Oh, I wish I still had it. We just put it in. Yes, amy and I both got it. It was about a $4 check.

Speaker 1: 15:49

And that went right right to the bank. Yeah, you can't even get a cup of coffee for four bucks anymore.

Speaker 4: 15:51

I don't know what's going on. Yeah, but it is kind of crazy right, this many years later, um, to still get that about two or three, three times a year the system works yes yeah, well, I definitely watch that movie every year, so I'm probably gonna put it on tonight and you give him his three

Speaker 1: 16:06

cents yeah there you go. They did a casting um in jordan over the summer and my mom actually got into a movie uh marmalade as an extra over the summer. Um, which was kind of cool. Right to then go to the movie and see her on the big screen, that's kind of fun that's awesome. I know you did that yeah, all right, josh, get you go ahead. Sneak one in on us, josh.

Speaker 2: 16:29

I haven't been in any movies. They don't want me in any movies. I know that that's not what I heard. Nick, I'd maybe like to be in like Sicario or something cool like that, you know.

Speaker 1: 16:42

So Brian Nick has a thing, let's just get it out in the open here, josh, sorry, I got to go, I got to go.

Speaker 2: 16:47

I got to go feed the cats, see, If I get it in first it's fine.

Speaker 3: 16:54

I feel like Nick would make a good like Viking warrior or like if we could shrink him, like, scale him down to like a dwarf warrior.

Speaker 2: 17:03

Yeah, what was the guy from Lord of the Rings with the, you know, with the long, with the beers? What was?

Speaker 3: 17:10

it, was it? Oaken shield, the leader of the? Was that the hobbit that's? We're gonna have to get jamie back on to check our lord of the rings lore. But uh, yeah, yeah, no movies for me either. I selfishly just wanted to talk to brian about music.

Speaker 1: 17:22

Uh, oh, there you go yeah, brian said that we could plug that too, couldn't we? Josh, josh and Brian musicians and Josh in the industry of creating music for television shows and remastering that, so that is definitely a cool topic it sounds like this is actually just shout out to our episode 40th episode.

Speaker 3: 17:40

So, uh, the audit turns 40 today, so it's it's fitting that this is a hot mess. Midlife crisis episode. This is exactly what it should be like every day right skydiving and dabbling back in in the music and uh and nick's hairless cats.

Speaker 1: 18:03

he's got two hairless cats, brian. What's the name of the cats, mr?

Speaker 2: 18:08

Meowgie.

Speaker 1: 18:10

Oh, that's great, General Meow and Mr Meowgie, it's wonderful.

Speaker 2: 18:16

I have to say this every single time. These are all live people.

Speaker 1: 18:19

Well, we'll cut that out. The cat is on. That'll be edited right out. No, I think one of the cats is on Prozac or something. Why would you get a hairless cat, dude? You know there's something wrong with that animal no allergies.

Speaker 2: 18:33

Streamline.

Speaker 3: 18:34

You got to put SPF 50 on the cat every day down in Texas. There Nice sun yeah.

Speaker 2: 18:39

Yep.

Speaker 3: 18:41

All good. Well, just to give our listeners some context today, brian Johnson from 7-Minute Security, we already talked about your podcast and a little bit about your background. Obviously, these guys have some rapport worked together in the not-so-distant past. It says on your LinkedIn profile, brian, that you're a security engineer, podcaster and wannabe skydiver. I think we've covered two out of those three titles. Maybe we could. I would love to hear some stories about you guys working together back in the day. Love to inform people about pen testing. You know, I know it means penetration testing, but I'm not still quite sure on what exactly you're doing when you're doing pen testing, when you're talking about it.

Speaker 4: 19:23

I mean you. I would say, like you put, put security people in a room and ask them to define what that is and isn't, and what's a pen test versus a vulnerability assessment. Right, we probably have some people that would come to blows with each other, but I like to and maybe this might've come from it is a rowdy bunch. Yeah, it is. This might've come from, eric, but when I'm talking about it with customers, I like to make sort of that security like a physical security analogy where it's like hey, if you said hey, you know, assess the security of come across the street here, assess the security of my home, do a vulnerability assessment on my home. In my mind that would be the equivalent of like I come, I kind of jiggle the front handle, you know, I go over to the windows, I pull up on those a little bit. I come, I kind of jiggle the front handle, I go over to the windows, I pull up on those a little bit, I maybe look and see it might be possible for somebody to throw a ladder up and then get on the roof and then maybe get into one of the upstairs windows and I kind of write you up a report that has a lot of like, what ifs and maybe some recommendations on like, absolutely put a lock on that front door. I can see there's no lock, but it's. It's kind of theoretical, it's a little bit light and fluffy, um and, and you know, maybe install a ring camera and have some brighter lights on the outside right, like kind of low hanging fruit stuff to keep baddies away. And when you talk about a penetration test, again using the physical security analogy, I think that of for that, the, the kid gloves are off, where it's more like you're asking me to see, can I just take a brick, chuck it through the window, get inside, take all your sensitive stuff and leave undetected? That's like a pretty bare bones explanation, but that's how I see the two things separate.

Speaker 4: 21:01

So when an organization asks us to do a penetration test, I'm always wanting to know what exactly do they want, because it can mean so many things to different people. So you know, if they've never had one, what we typically do is bring a little box out and we say, okay, we're going to assume that, given enough time, given enough money, enough effort by attackers, they're going to find a way into this environment, they're going to phish somebody, they're going to hack the Wi-Fi, they're going to ship one of your employees a USB drive and they're going to plug it in and that's going to give the bad person a point of presence on that system. And so we typically start our tests from there and we talk with the customer about you know what is it that you want us to do? And if they don't know, we'll say, okay, well, we're going to look really deeply at Active Directory because that can bring over a whole bunch of security issues Just from being in Active Directory over the years. There's a lot of legacy settings that can be insecure, that just are right there for the picking. That's the kind of stuff attackers would love to grab onto right, things that don't take very much effort but could have super high impact and maybe escalate their privileges to domain admin.

Speaker 4: 22:20

So we spend a lot of time looking for as many easy wins as we can. And then we also talk with the customer about, for example, where are your most valuable assets? Or, like tomorrow, if you woke up and blank was being reported on the news is it credit card information? Is it your intellectual property? Is it a client list? What is it that they would have? That would give you a nightmare. Then we bake in some custom goals too about like well, we're going to try to get to that data so that we can, at the end of this, we can say to you let's look at the story, let's look at the narrative of how we got there. How can we back through this and throw up as many roadblocks as possible so that a bad guy or gal cannot repeat that there's a lot that can be done just with Microsoft's tools and services that they give to us.

Speaker 4: 23:12

But I think the frustrating thing in my opinion anyway, is that Microsoft hands us things like Azure and Active Directory and I think again my words. They're saying hey, here's these great tools and services and they're designed so that everything just works together and we're all happy and compatible. But oh, you want it secured. Oh, well, in that case, you've got a lot of reading to do and a lot of figuring out to do this on your own, and it is kind of up to us to make it more secure. So I try to work in that space as much as possible with customers and talk about like hey, here's a, here's a PowerShell script we can run, here's a, here's a group policy we can put in place that. You know, look at it, if we did that for finding three, that would have kind of a domino effect and that would wipe out four through six. Right, and you're getting, you know, multiple pen test birds with one, you know, with one remediation. So sorry, that was like two, that was too long.

Speaker 1: 24:13

That was seven minutes. It's interesting that you certainly agree on the pen test side, right, you know, kind of the rattle, the doors and windows and everything. And as you look at well, how do we improve a customer security posture? Even the best technical controls or physical controls sometimes can be offset by not having administrative controls in place or policy. And I'll give a.

Speaker 1: 24:46

For instance, we were doing a physical a little while back against an organization that had lots of outside exposed these locker type of devices and they had physical locks on them and some of them had intrusion detection. Some of them didn't, like if the cabinets opened, you know, then an alarm goes off, but some didn't, and they all were secured by an abloy lock and that's, if you've seen that lock, it's kind of like a 3d key, it's. It's not, you know, multiple pins, it's um, it's one of the tougher locks to pick. So it's like, well, yeah, they all have these. And the guy showed me his key and he's like, you know, in order to get this key made, you know the manufacturer is the one that has to specify that a new lock can be set with this specific key. And I was like, okay, cool.

Speaker 1: 25:42

So you know, you have a key that gets into all these locks. There are 100 locks right across the campus. You. So you know you have a key that gets into all these locks. There are 100 locks right across the campus. You know this key will get in there. And so what happens if somebody leaves the organization that has the key, or what if somebody loses the key? So you know, as we look at that from an administrative control perspective, putting those controls in place that talk about what you would do in those cases, and it's great that you have a really strong lock, but if you lose a key and everybody could then have access to that and that might, you know, be available in 3D print or whatever is that a good control versus a control that maybe the physical security is not as good but you have policy in place that it's easier to deal with it if an event happens or a key is misplaced or what have you. So I think it's that kind of hand in hand of you've got the administrative controls and technical or physical controls.

Speaker 4: 26:42

Oh, for sure, For sure. And what you just said made me think of something that I don't think enough customers do. That kind of bridge, that gap, I think, between some of those technical and administrative things is. I really really love well done tabletop exercises where you kind of throw off like, like using what you just said, eric, as kind of a what if for the organization, you know, getting a bunch of the leaders, you mix of whoever HR, legal management, tech folks, get them in a room and throw out some of these kind of scenarios. I think that can help where maybe you think you're covered because you've had a pen test for a few years, and then you're like, ah, look at this awesome set of policies and handbook, I think we've covered all our bases. It can look really great just at a 30,000 foot level, but then when you start doing a tabletop to challenge those things, it can be really interesting.

Speaker 4: 27:34

And we did one not too long ago where it was our person leading the tabletop just threw out to the organization that, let's say it's a Friday morning. You wake up and you've gotten notification from Twitter. Some random Twitter user has said hey, organization, we've got sensitive data about your organization. We'd like you to pay X dollars and you just kind of let that sit with the people in the room, right, like, okay, what do we do first? And it's a very. It ends up being like a very heated discussion very quickly because some people just immediately go well, let's call the FBI or the authorities. Right, the technical people in the room go, oh, you know, heck, no, we won't pay. And you know, it's just like all these conversations bubble up and clearly it's just like everybody has a very idea, different idea of what you do first, and then you know we could just ask them to wait till Monday.

Speaker 4: 28:24

Probably not going to happen, but just to kind of layer things on top of that, right, like to keep a narrative going all the way where it's like okay, what about on Saturday morning? They say, hey, just want to remind you, we want your money. Here's a little screenshot of data that you know firmly says yes, they really do have a foothold in the organization and they're showing you, you know sensitive documents. And you know a foothold in the organization and they're showing you sensitive documents. And again, people are going. Well, I think we would challenge it and ask them to send a copy of a whole file and then we throw in. Well, by the way, they also said the ransom just went up 30%.

Speaker 4: 29:01

Every day that you're going to dork around with them and it can be, I think, both fun and frustrating after these conversations because you haven't, you know, solved all the world's problems in that tabletop session. But I think what it does do is it highlights gaps where you think you're kind of all ironed out. You know whether that be technical stuff on the pen test side or on your policy side you didn't account for, you know, kind of a ransomware threat, right, and it at least gives you things to work on in the next calendar year, because you're never going to be perfect, right, but it just keeps that security posture challenged and then we make it better. Challenge again, make it better. And so, yeah, you're right. I think that bridge that if you can strike a semi-happy balance between the administrative controls and the technical man, technical man be way, way better off than than most of the organizations out there, unfortunately, I was really curious, you know, brian, to get in to one portion of like open source intelligence, kind of like what you guys are doing there.

Speaker 2: 29:59

Back to your process a little bit with like Shodan or spider foot or you know, any of those tools. Are you actively using those or do you find those to be a really good starting point, or, um, I guess to to further onto that question, if you just had a couple of those tools, what would you reach for?

Speaker 4: 30:17

Yeah, I suppose it kind of might depend on the scope of the engagement. But yeah, just as far as and I have, I don't want to speak too out of turn, because I do have a couple of people who really love that stuff and they're into the spider foot.

Speaker 2: 30:29

Let her go.

Speaker 4: 30:30

Yeah, yeah, roach arm and whatever else is no, I don't know if that's a thing, but they're into all those tools. But what we will do as part of just kind of a general pen test, especially if they're like, hey, here's our set of IPs, we want these fully tested, this, and that it may come to be that once we actually do that testing, there's like nothing open and it's like, okay, well, I want to give them some, some more value here. So I do try to zoom out and do a bit more of the 50 000 foot view and open source intelligence.

Speaker 4: 31:04

Yeah, um, and as far as, as far as I kind of go to tools, um, you know one thing that that a lot of the smaller companies we work with want to see insight on is like oh, is there, um, is there credentials of ours out there that maybe are from breaches, and are any of them still valid, kind of thing. So a mini exercise we'll do pretty often is looking at and I know there's lots of cred dumps around the icky parts of the web but the de-hashed service I don't know if you guys have heard that one that's just de-hashedcom, and that one is really interesting. I love and sort of hate the site at the same time, because they sort of you go to the site and they're like hey, we're providing you a service. We're kind of gray hat folks here. We pull these creds from different dumps and we offer them to you so you can check your own company, see if you're owned, and we do it at a very low price. We're good guys, okay, we're totally good guys, but we also want to line our pockets and I get that. That's just kind of business. But the good part is it's really affordable. So I think for I don't know, maybe it's only like a week or two of access, but it's like five bucks for access and then for, I think, a few more dollars you can get API credits.

Speaker 4: 32:21

So you know, semi off the record, but not really because I'm sure everybody does this you know you can buy the week's worth of access for tools or just you know, to the service, and then what I'll typically do is I'll look at all of our open engagements and you have to spend API credits to query them, right. But it's like, well, I've bought a week or 10 days of access. It's like I'm going to and I've got my API credits. I'm going to just get as much juice for the squeeze as I can, and so I'll. I'll just run with the API. They have a script they put out to on GitHub, but I'll just dump out all the information I can on these organizations and it's kind of interesting, you'll often get two blobs of data from every query. You'll get just like hashes that have been seen from these different dumps or, in some cases, cracked credentials. So so I'll take. I'll take that list typically, and then there's a bunch of different tools that will spray Microsoft 365. Bunch of different tools that'll spray Microsoft 365. But I think it's. I want to say it's Go.

Speaker 4: 33:23

365 from Optiv has been really helpful for you know, queuing up a list of you know user colon password that's kind of the format they want to text file in and then you can just, you know, let that go at the tenancy. But of course, as you might expect, microsoft's pretty darn good at seeing a single IP hammering away at a tenancy and they'll tend to shut you down. So this may sound a little bit elementary school but it totally works. I've got a subscription to some VPN services and what I'll do is just essentially run a script that connects me out to some random IP.

Speaker 4: 34:04

Does one try of that list of cracked users and their hashes, does one login, then rotates to a different IP, tries another login, rotate, rotate, rotate all over the world so that I can very quickly get through that list in a reasonable amount of time without my IPs getting blocked, and that can produce some interesting results. You know, sometimes I got to make a quick phone call and be like whoa, your, you know head accounting person is using a you know this password. I got out of this breach. They are using it right now and maybe they've got MFA, but I think, as we found out, there can be ways around that. You can do MFA, fatigue attacks. Mfa is great, but it's not the silver bullet to security, as nothing really is.

Speaker 2: 34:51

So you're not dressing up like a UPS driver walking in with a social engineering.

Speaker 4: 34:57

I'm not, I can't stand that. My very first security job. I did have to do some of that and my coworkers would just kind of make fun of me because they'd be like hey, here's my imitation of Brian. Hi, I've got a package for you. Know, steve, my name's John. Would you just give me your password? Just let me leave this place with some dignity. Give me somebody, I'll take anybody's pass. Give me something, give me a, even that sticky note that's got some passwords. I just yeah, I can't do it, it gives me um, it's certainly not for everybody yeah you're just too good of a guy, brian.

Speaker 4: 35:26

I guess I don't know your character I just is it I and I know I'm totally like taking up all the time, can I? Can I tell you one story, though, where, where we did this on the fly, have to do uh I'd love to hear it.

Speaker 4: 35:37

Well, so this was one of my first gigs as as uh seven minute security and I was uh flying to another state to do just a more vanilla like sit down, critical security, controls, assessment and and that's you know, that was it. So it's like I flew down there the night before I get up the morning of and I'm just uh, the building is within walking distance of the hotel and a block away from there. My contact calls me and is like hey, man, would you be up for a little adventure this morning? And I was like, well, I mean it kind of we're going to.

Speaker 4: 36:08

I fly yeah, I thought he was gonna. I was hoping he was gonna say that he's like well, really, I know that like you're here just to do this assessment, but we've got this systemic problem with our front desk person where we have in policy and we have one-on-one told this person don't plug in random flipping usb drives that people come if they need stuff printed or whatever. We're not kinkos. He absolutely should not plug anything in, you know, via usb. Could you, just when you get up here, when you get to the lobby, could you take a drive? Could you think of some excuse that you need something, um, you know, printed? And I was like, oh man, like I, I would want to do this, right, I'd want to do a little homework and like, at least think of some lie, that's kind of. And he's like no, that's fine, just just, we want to be able to check, I want to be able to say to my boss that we did that. And you know, today I would be like nope, scope creep not doing it, but I was your Hollywood handler. That's what he did. Yeah, this is the man that Brian is. I don't blame you. But I was like, ok, fine, and I did have USB drive with me. So I made a fake resume and I put it on there and I did walk in and I just pretended that I was there for a job interview. And I'm such a klutz I forgot to get a paper resume to hand out to people. Would they print it? And of course the nice front desk guy is like yeah, sure, give me that drive. So he prints it out, gives it to me and I'm like thanks, I'm just going to go to my car or whatever and I'll be back in a moment.

Speaker 4: 37:30

So I go out in the hallway and I call my contact and I'm like okay, I did it, I passed the test. Can we just meet and start our assessment now? And he's like are you up for one final challenge? No, I don't want to do this. He goes. Okay, just just let me tell you what I want you to do and you can say no if you want to. He goes. If you go up about five floors, there's a. You get off the elevators, take a left, there's a locked area. That's where where our accounting people and the IT people are, and I want to see if you can steal a laptop. It's like forget it, dude, not doing it. He goes. Just really, it would mean a lot to me if you would do it and look good for my boss to say that we did that because we've been wanting to social engineer that group.

Speaker 4: 38:13

So I go up to that floor, go down the hallway, and it is locked. There's no lobby to go into, there's nobody to try to sweet talk, it's just a locked door and and but oh, I forgot to say. He met me in the hallway and he provided me this little hotel key card thing that had been cut out to look kind of like a, like a shiv, and he's like he goes. I've done this after hours. You can wiggle the shiv behind the lock plate and you can hook the latch open. And I said, yeah, but dude, you're doing it when nobody's around. This place is full of people right now. He's like, please, I just, I really mean a lot to me.

Speaker 4: 38:45

So you know, I just kind of peek in the little sideways slit window thing, right, and I see that there are people just around the corner in the offices. But I take the little inside the plate and then um, and and then I see somebody see and they wave and they get up and they start walking over. So I forced gump it like, but they open it up like, I'm sorry, are you here to see somebody? And I just go yeah, I have a job interview with and I knew with my site contact name and I was like and have a powerpoint that I want to show them. And I didn't bring my computer and so I was wondering if I could use one of your computers.

Speaker 4: 39:24

And they're like what, yeah, I, I really they sent me down so that I, you could give me a computer I could bring to the interview and then put up a powerpoint of my resume and such, and and the lady goes well, okay, and she waves me back and loads of people else, a login and the whole thing right, and just puts it in my arms and and, uh, you know, waves me on my way and so I go back down to the main floor, I meet my contact, I finally go into his office and I'm like dude, I'm just sweating like chris farley. You know, I'm just like dude. I hated that, I hate you, I hate everything that's happening right now. And what I felt worst about is, as we got talking, like two minutes later, the gal who had given me the machine came just tearing into the office and is also like, oh my gosh, I think I did something wrong. And then she sees me and is like what's going on, you know, and so I just have. That's part of the reason I don't do that right.

Speaker 1: 40:18

It's just that that like and then he's like but but wait a minute, I got a third thing. In the garage downstairs there's a mustang. I just need you to hot wire. Right, it's cool, just hot wire. We'll just see if it works the rule of threes like yeah, for social engineering oh yeah and that.

Speaker 4: 40:34

Just I just hate that. And then, and then to have to like go to lunch with all those people after I've I mean yeah, I've got two of them in trouble, I just I mean, and that was like that was extreme circumstances, right. Like other engagements I'm sure are much more I mean that we've done, are much more planned out, but this impromptu stuff it's like I just I wanted to throw up, it was the worst.

Speaker 3: 40:55

Sounds like you're pretty good at it for being reluctant to do so. It sounds like you killed it but I think it was.

Speaker 4: 41:02

I think it was because there was no. There was no prep time. I think I would have had like if you would have given me like a week to prepare for it, it would have been garbage. They would have been like dude, you're sweating, like chris farley, whatever you're doing, get on overthinking it over. Oh, I, I'm that type, for sure. So, um, but yeah, that was that, I think. After that I was just like, nope, I'm going to bring in Right.

Speaker 2: 41:24

That's awesome.

Speaker 3: 41:28

I got a question. You know it's a little off the topic of what we were just on, but have you guys that have been doing this penetration testing? You're working with these organizations to shore up their security risk. Then you experienced some breaches here and there, or people that do get through. Have you ever seen any of those perpetrators be brought to justice? Or are these people just kind of shadow masters, because it sounds like it's, you know, more common than we'd like it to be? But these people are, you know, in different countries, you know where they can't be extradited, or do you ever seen justice being served people?

Speaker 1: 42:05

Yeah, early in my career and I'm certainly dating myself, but I'm going back to the late 1990s, right? So we're 99, 98, 99. And I was working for a company where I was their network administrator at the time, and it's embarrassing to even say this but there was no firewall, right? This is like back in the day when things could just sit out on the internet and I think we might've had IP chains or IP, ip tables, like some sort of janky linux firewall, because the company was a startup and you know, like they didn't want to spend money on anything and, like you know, here I am saying like, hey, you know, we need this or that. And they're like, you know, they didn't even know what I was talking about, but I'm trying to build out these servers.

Speaker 1: 42:56

I, I remember we were building out these um, it was these, these one u bladed servers, and I, the company's out of business, but, um, there was a local distributor in town and rather than um pay for the shipping of of the servers, right, they're like oh, eric, can you, can you just go pick them up? So, and I'm just painting the picture of how, like, how cheap this company was. So like, I got to drive like 20 miles and I show up and at the time I had this little hatchback car and, uh, I pull up and and, um, I'm like, yeah, I'm here to pick up the service or whatever. And they're like, okay, yeah, just pull your truck around the back to the loading dock. And I'm like, well, you know, I don't really have a truck, but I think they could fit my car. And they kind of just look at me weird. And if you've seen a server before, it's like you know the server. It might be rack depth and one U, but then, like the box it comes in is you know this huge box, right?

Speaker 1: 44:00

So like I could fit two in the car so I got a call from the fbi and I was like, you know, I thought it was a joke at first. I was like, you know, this is so and so and um it, it turns out that it wasn't a joke. It was really the fbi that we had a malicious actor that had gotten into our systems and then had jumped to several other company systems and they had traced it back to our IP address. And you know, then of course we helped them and provided logs and kicked the, the malicious actor out and all that sort of stuff.

Speaker 1: 44:37

But I stayed with that company for a number of years and they grew and you know, they got, they got a little better with funding, uh, but I, I, uh, I remember like two years later I got a call, um or an email from the, the the FBI guy and he was like ah, you know, we, we, we caught the guy was, I think he was like out before, like cybersecurity was really a thing, um, but uh, I, I don't know that I've I've been involved with quite a few remediation attempts since and and and work, uh, you know, helping customers get out of that. But I don't know that I've ever found one recently where they're like, yeah, we got the guy and or group and you know we're dealing with it.

Speaker 4: 45:47

Yeah, they're certainly get better at hiding you know, making it hard, right, like making you have to jump through additional hoops. I mean, probably back in the day you were describing like it would have been easier to go oh, this IP you know is from here. Therefore, I can sort of accept that it's this organization or whatever. But now, with the ability to sort of weave yourself in and out of multiple VPNs and stuff, it's like just this web. I think it would be very hard to untangle just purely based on source attacking IPs.

Speaker 1: 46:19

Were you in the industry when hubs were still a thing?

Speaker 4: 46:23

I was doing some IT work. Yeah, yeah, In fact, I still run into a hub or two when I'm out at a customer and just like what is that down there on the floor? Wow, how does anything work?

Speaker 1: 46:38

Well, you'll appreciate this and I'll be real quick because I know you're on time. Well, you'll appreciate this and I'll be real quick because I know you're on time. But the so I'm interviewing for this, this account, and I think at the time I was like the 30th employee and I'm talking to the VP of sales during the interview and he's got a new laptop and he's got a cable plugged into the laptop and he's like you know, I just got this laptop but I'm really having trouble getting it online. So I was like, oh, let me take a look, right? So I look, I pull out the ethernet cable and an ethernet cable has four pairs, right Eight wires. This thing had four wires and like it looked like somebody at home made it, slid it in the uh to the rj45 jack and crimped it down. I'm like, well, this is your problem here. And it turns out that when, when it was a 10 base t jack, like that janky cable thing worked, but his, his laptop was maybe it was trying to operate at, like you know, 10, 100 or something, but it just didn't work.

Speaker 1: 47:44

So then I'm like, well, okay, let me take a look. So so I have, and I'm like standing on a chair and then on a table in his office. And I'm looking up in the ceiling tiles and they've got a hub up there and half the connections in the hub were like this janky, yeah. So I'm like who's doing this, like? And he's like, oh yeah, and there's somebody that's kind of in it and they're just trying to wire this up, and so I was like, well, this is your problem, all this needs to be rewired, and so on and so forth, and that's probably how I got the job. But you know, like two weeks later now I'm up in the ceiling and rewiring it's like sucker born every minute they like it wasn't a thing, where it's like, yeah, go, you know, find a wiring contract.

Speaker 1: 48:22

No, I'm, I'm there with a hole, saw dude and, like you know, zip it. It was a great job for me, young in my career, because I was doing everything from, like you know, the, the, the layer one stuff all the way up through the, the firewall and email security, but uh, yeah, running wires up in the plenum it was. It was an interesting job.

Speaker 4: 48:43

I would highly recommend anybody who's got a couple years of IT experience or even security and you kind of want to take that to the next level and just broaden your horizon and kind of get a feel for lots of different things like virtualization, storage, firewall, networking. I would say, go work for a school district. That is one of my scariest and favoritest jobs, where often is the case not always, but often it's like if whatever it is runs on electricity or has an internet connection, you're in charge of it by default. I would get these calls about like hey, we know we've got a, a matinee, uh, starting of, you know the high school performance of whatever, and the the guy you'd normally run sound and you know light is not here, so you're going to do it, you know just sitting there sliding faders Right, um, but you get.

Speaker 4: 49:33

You get such a feel for that, that kind of stuff, you know, troubleshooting, like, like you said, where's this janky wiring? Go, oh, to a hub and then to a switch and then to another hub. Well, how does this work? And how do I, you know, untangle it all?

Speaker 4: 49:47

I feel like it's a great way to cut your teeth and then also there I think it's a more forgiving environment because typically the staff around they're so happy, they just want things working, so you know if you can improve their quality of life right and you get a lot of direct customer experience working with forgiving and not forgiving teachers and that kind of stuff. But that just opened my eyes to so many things in the tech world and what I'm glad I wasn't into at the time was security, because I remember those tech ed kids we had to put what is that great software?

Speaker 1: 50:17

Deep Freeze, oh, yeah, where you can roll it back, yeah.

Speaker 4: 50:23

So it was great because they would all day try to download you know tools and format the c drive and do all this stuff. Then you just reboot and it would come back. But I mean their, their, their job, because obviously they weren't doing you know school work was to try to make my life difficult. So it it started, I think, to exercise that brain of like they're trying to do malicious stuff. What controls can I put in place, uh, you know, to to uh, keep, keep the lab functioning and keep teaching happening? And maybe in a weird way that was maybe in a, yeah, in a very, very weird way. Maybe that was like a small light bulb of like, oh, I really like this stuff, the whole bad people trying to do bad stuff. I want to understand that and then put up, uh, you know, put up some guardrails.

Speaker 2: 51:03

You found your calling.

Speaker 3: 51:05

We have some mutual friends that started out their career. Cybersecurity career at my high school Brings me back to the 90s. You mentioned 1999, eric. I want to go around and let's say what we were wearing and what we were driving in 1999. I don't know, nick, you might not have been driving yet, but I'll start first. I was. You know the Matrix. I just got to say I think, eric, I imagine you wearing like a trench coat with Neo glasses. Maybe I was 11 years old, okay, so you weren't driving, you were driving a scooter. Maybe there you go, power wheels.

Speaker 1: 51:43

What were you driving?

Speaker 3: 51:44

I had a leather jacket, long hair down to here and driving a white Pontiac Grand Am that I inherited from my grandmother that smelt like vinegar because a whole gallon of vinegar had been dumped into the back of the trunk on accident during a shopping expedition. How about you, eric?

Speaker 1: 52:04

I uh, I don't know what I was wearing. It's probably jeans and no, I take it back. I do remember what I was wearing, um, I do remember. So, uh, like you know, I was kind of out of college a couple of years and I would come to work at that company and I went from like senior network engineer to to being IT director there. But like I mean, that was something you could do right back in the day in small companies, but I would come in a T-shirt and umbros.

Speaker 1: 52:41

So if you remember the umbro soccer shorts, right, I'm showing up in t-shirt and umbros and like it's like I didn't give a shit, right, because it's like, no, I don't need to dress up for the servers, like so, this is what I wear. And like those umbros don't even have a pocket, so I'd have my wallet in my sock and I I remember going into, like you know the, because I was on the leadership team. They'd have these company leadership meetings and you know, I'm in my like early twenties and I'm just, you know, I'm in the meetings Umbros and t-shirt, everybody else is dressed up and I'm looking back. I'm like man, I was an asshole back then, but I was. I was driving a mazda rx7 which was like the the twin turbo mazda um at the time and uh, yeah, that was just my personality back then.

Speaker 3: 53:32

We're all gonna wear umbros the photo shoot over the headshots man business on top, party in the bottom.

Speaker 4: 53:43

There you go I was probably, uh, inheriting my, my dad's trade of just like, really not caring too much what it's like as long as it was comfortable like that. That was it, so it was. It was actually probably what I have now like not great jeans, nothing, just off the whatever's cheapest, uh, rack and driving. My sister and I shared those years. We shared a 1988 Toyota Tercel stick, which still is like. I love driving manual, so in some ways it's still my favorite car. Put a lot of miles, did a lot of stupid you know things in that car. Um and uh and yeah, that was, that was, yeah, that was probably it everybody was wondering 99 baby then how many cats did you have nick at that time?

Speaker 3: 54:35

yeah, I think I was at like four only like probably three or four thanks so much, brian, for uh being on today. I'd love to have you back on and maybe go into some other stories. I feel like we were only scratching the surface on this, so, yeah, we'll definitely be hitting you up for another episode down the road here. So, once again, you're listening to the Audit presented by IT Audit Labs. Our guest today was Brian Johnson from 7 Minute Security, joined by Nick Mellom and Eric Brown. I'm Joshua Schmidt, your producer. Please like, share and subscribe. Our podcast comes out every two weeks, so leave us a comment on topics that you'd like to hear about and continue the conversation, and we'll see you soon.