"A good pen tester isn't meant to show how much of a badass they are. It's to help the person prepare for the next badass that doesn't share the same goals."

"cannon based assailants are not in our risk model" is now my favorite sentence of all time.

So i am an actual technician, but the number of times ive turned up at a business and said i'm here to work in the comms room and they just let me in is astonishing.

I really hope all this comes up in the zoology exam I'm taking tomorrow.

I use the "look like you belong there" when I get into the VIP area in clubs with just a GA ticket. I've used the back side of water bottle labels and napkins, folded into the right size around my wrist as a fake VIP band and followed a group into the VIP area. My favorite time was buying the same wrist bands on Amazon that the club uses, and looked at Instagram to see what color VIP was using that night. I have more fun figuring out how to get into the VIP area in different ways, than dancing or partying with friends in the club.

That last sentence was the key difference between an actual attacker and someone just pen testing... "Getting in is fun but getting caught is the goal."

I caught a pen tester once pretending to inspect fire extinguishers. Except he wasn't in the right uniform and he wasn't quite doing it right. Called security, and got an attaboy, and told to let him continue on to see if anyone else caught him (no one did).

I love that your daily carry key ring is full of real keys (and only two jigglers). Most people wouldn't even notice the jigglers and no one is going to call it a lock picking kit. It isn't. It's just a bunch of inconspicuous keys.

weird style of stand up comedy but i liked it

I did the security guard thing for a while. It was an open secret that we were just eye-candy for the insurance company.

For half of his adult life, my Dad carried around key rings with about 3 pounds of brass on them. Gotta wonder if he could have gotten by with just a half dozen keys. He would have loved this kind of stuff. Subtly deflating over-inflated egos was a hobby of his. Once on a fire alarm install, he was going around the building with the client and the security alarm vendor, who was bragging up his system. My Dad asked the security alarm guy if his sensors worked when they're installed upside down. The security alarm guy goes "What do you mean upside down?" My Dad goes "Well these have this part pointing up, but those have it pointing down." The security alarm calls the electrician over and growls at him to reinstall the upside down sensors. My dad cracked up when he told us the story.

I think it is important to emphasise the difference between a secure lock and a signalling or token lock. The stock keys are great when you want to stop stupidity, rather than malice. We keep the key to the medicine cabinet at work in the lock, but it still does an important job. Junior staff are aware that they do not have permission to open that lock. We are more worried about a horse being disqualified from an event for being medicated than losing the medicine. I would imagine the cabinet locks are designed mostly to avoid the servers being handled routinely or by mistake, rather than stopping an attacker that has already breached the server room. I've seen a padlock on a chain that could be lifted off, and it still sort of did it's job. The field wasn't secure anyway, and if somebody wanted to break in they easily could. The chain was there to signal that going in there was not allowed (it is at some times of the year), rather than secure the field. It only becomes a problem when people use signalling locks as part of a perimeter.

I remember watching your elevator video, and it got me really thinking about who's pretending to be who. and it got me talking with the boss, now I've put up a sign at work where it says "show ID if asked for ID". Every time some random dude comes in and says "yeah I'm from X and supposed to do X", we tell them oh do you have an ID? Every single time they say "what?", so we reply "you know it's for security, then point to the sign". The thing is that the sign is located kinda "randomly" on a shelf, so you kinda have to look up. and since you're looking up, the security camera is there to look right back at you. Most of them actually pull out their state issued ID, because obviously a badge is not an ID, the one that point to their badge usually get's told, "I could also print out a badge". It's a small step to counter potential security flaws, but honestly even if you show the ID and we take it down, it's not like we're checking if it's valid, by cross refering it with some database... but at least we try to trick people to either show a valid ID or look up by giving them an unfamiliar scenario, if we are the one getting tricked then shame on them :)

It's so easy to sink hours watching your lectures. You're an entertainer.

once found an RFID dongle outside a government building and the dongle worked, tested it and immediately returned it... the person was neutral even when I asked "what if I wanted to gain illicit entry?" she replied "oh, we have a security alarm" As this person points out, all I needed was a shirt, a box of RJ45 and a ladder and I have myself a cover story between 9-5 so yes... when someone doesn't know your alarm code, doesn't mean they don't need it to start robbing you or worse, compromising your security to the point where you might as well leave the passwords on the screen, don't bother locking the doors because they are mine... I can basically have an all access season pass to your building. An alarm is for when people are not there not as a first response, contractors don't mind being questioned "hey, should you be here? can you provide proof?" because it's 2 minutes of their job and they will know not to rob the place

Thank you for emphasizing that a test team must work with the blue team in the end to deliver the most value to the client. It's not just good it's good business - a test team that takes the time to work with the blue team and further ask "can we help you fix those things?" can rake in up to 10x what the test cost in terms of follow on business as long as they continue to show value in helping fix the problems found.

I've been a security guard. We got no training other than the legal limits of our authority/responsibilities we have and an hour class on "physical intervention". We always got forgotten about, nobody would go through proper channels and tell us about guests visits or keep us in the loop about work going on so it isn't out the ordinary to have a bunch of randoms wandering into the building unexpectedly

If I ever see this guy near my property I'm going to be immediately suspicious

When you come back, and can't get in, then you did a good job.

“Yes, thank you, cannon-based assailants are not in our risk model.”

I've watched a few of your presentations over the last few days. Even though they're very similar and not really relevant to me, they're entertaining, informative, and easy to watch. Keep up the great work.

ok putting a jumper wire on your key ring is a genius idea. I've always just kept one in my wallet because people in theory won't see it there. nobody's gonna question you using one as a lanyard though

The most satisfying red team engagement I have had in 20+ years was when the client's developers started helping us with attack steps during the kickoff meeting. They bought into our slogan, "The Red Team is your friend". And, with their help, we achieved our goal - "Make life hell for the bad guys".

As a security guard, this hits close to home. Most of the time we get put on sites as replacements or fill ins with zero training aside from "Just check doors 1,2,3,4... every hour and call 555-5555 if there is a fire. We all pretty much accept that we're a cog in the liability system and there to be blamed when shit breaks. (Well, that's company side, I'm sure the client was sold a lie about "Highly trained professionals" and pays $90 an hour for us to walk around) armed guards are even worse, the standards are non existent and using your gun is a fast track to unemployment and possibly court no matter how justified it was. (Client probably pays $190 an hour for that skill) Please, people, *NEVER HIRE THIRD PARTY SECURITY CONTRACTORS*

This was an interesting one, I always enjoy physical pentesting. What I'd really like to hear is a talk about how to fail at it, though. Sort of a "Pentesting dont's" type of deal.

How casually you talk about your wife having reader implants. [Posthumanism intensifies]

"Im not exactly sure what security guards are trained to do." I recently worked security in Florida, one of the strictest states for security ever since an event in 2016 where a gay club got shot up by a security guard. we are trained to walk around and write reports. Our training focuses heavily on what we can legally NOT do (ie. avoiding lawsuits and COA) In practice, it's mostly preventing crime by simply wearing a uniform and walking around, checking for broken lights, taking readings from water pumps, and cleaning up the pool area after it closes - anything for the client to get their money's worth.

amazed that you used TF2 but not any images of Spy

Deviant Ollam and LockPickingLawyer are two of my favorite people who specialize in blowing massive holes in everyone's sense of security. Now just imagine if they teamed up.

Oof, a new deviant talk. There goes my next 44 minutes

great talk! it's critical to not forget the entire reason companies want a pen test in the first place. this definitely keeps that in perspective

"Look like you belong" works in some frightening ways. I did Delivery for Jimmy Johns and was literally badged in to the local Homeland Security Office because I was on delivery. They didn't ask for ID, didn't check if the order was legitimate, simply saw a uniform, matching bag in my hand, and swiped me through and gave me directions. When it comes to security guards- they are usually paid to do two things- Observe a property, and report what happens. In the case of an actual problem they call the cops. Armed guards are only slightly higher (at least in Ohio) in that they can restrain someone if their is suspicion, if there's an actual threat to someone's life they can shoot. Personally I enjoy the work but I'm happy that I do not have anywhere near the obligations of a cop even as an armed guard.

Hands down my favorite security lecturer. And, I don't even do this kind of work. But, if you have any role in security--any, you're going to benefit from this stuff, and I'm always sharing this stuff with our team.

Re: "look like you belong there." -- I can get onto the sidelines of any college or lesser sporting event just by waving my Nikon D7000 and saying "I'm with [local newspaper]." They asked to see my press badge maybe twice in the ten years I worked for the paper, never called the number on it to verify me. Related tip for photographers, make friends with a publisher who will back you up, so if they DO call to verify your credentials, your buddy will say "Oh, yeah, he's a freelancer working on a thing for me."

My dad is a contractor and my first car was an old work truck, I drove around and looked at new construction all the time, no one questions a guy in a truck with hardhats hanging in the window

stepdad is a locksmith of 30 years..ive learned alot of how insecure stuff really is by going on jobs...the keys you list i have seen in places and im like " why do you even do that?"..people never think a about security i until there is a break in, or they hire a company like yours...and its scary, that security(physical especially) isnt on peoples minds...

honestly watching your videos have made me better at my job (i'm a Private Security Contractor), thank you for your security talks and all you do man

I'm never hugging anyone again after this talk.

7:13 Marry the girl who will break into buildings for you

"It'll getcha through everything… half the time"

when i worked part time as an unarmed guard, we literally got told, "you are only there to lower the insurance rates. dont try to stop whoever breaks in, your life isnt worth it. just call the cops/hq/whatever and be done with it"

Points for somebody plugging a usb device being into the presentation computer 3:35 into the video, nothing to worry about folks, no really, im from HQ. ^^ Love your talks, keep em coming, as somebody from the Netherlands i'd love to hear a presentation about any work you ever done here and/or in neighboring countries

Amazing. So glad I saw you guys on the Modern Rogue.

Ironically, the RED team graphics used in the presentation are "blue team" defense, in actual gameplay.

Awesome video and great way of presentation! My compliments.

Masterfully well-done! Thank you for sharing.

Your presentations and stories are great! Very interesting.

"Gets you through everything, half the time" best sales pitch ever

Really interesting talk, and it gives you a lot to think about. I've had a Paxton maglock fail open at work before and no one mentioned it - even when the system emailed the reception and site staff to say the controller had fallen over. Reception ignored it, site assumed IT would deal with it and the rest of the staff just found it more convenient to have that door open all the time! Now it's integrated with the CCTV and sets off two audible alarms in the reception and main office from the CCTV head unit on a door failure or tamper and the master control unit for the site which is in a false ceiling in the office. Now they don't ignore it, as they can't. The noise gets extremely grating after a minute or two!

3:30 drove me crazy, wtf is my pc connecting oh wait

Im addict3d to these deviant talks. Hes just great to listen to.

another great presentation bro...nice.

Great job dude, keep it coming!

In Team Fortress 2 Red team is often on defence and Blu(e) on offence. Except symmetrical gamemodes.

I had a step father in the 80's who would steal big screen TV's. He would walk in the store, then 20 minutes later he'd be walking out with a store employee, pushing a cart with 4 or 5 on it. The employee would load them in the back of the truck and we'd drive off. Did this ALL the time, in different stores in 3 states.

My favorite example of bad security was at a Detroit hospital. I came in with a Badge (from a different hospital) and in scrubs, and they flagged me through security. No questions asked.

My brother and myself were the mischievous type (ha, "were"), and used to figure out ways around security measures and things all the time in school. Wed do mostly funny things with it in our childhood. Fast forward till a year or 2 ago when he worked as a low voltage electrician and was contracted to work on a government building. He was just a worker, to install and thats it. Decided to point out a few blind spots in the camera system that would allow him or anyone else to pass through without a single camera seeing him to the foreman. Foreman told him to not repeat it because they were almost finished, and that he would rather not know my brother could so quickly identify the flaws haha. Camera views are kid shit compared but i find it funny. for sure the guys who are good at it grew up similar but more focused

awesome, congrats, perfect talk. With all the whiskey video shorts I had forgotten why I subbed, now it's clear (again)

Great talk as always

So a Soldier with a rocket launcher got into an elevator. "It's cool, it's cool 🖐 😑🖐 *clears throat, kneels to the intercom* This is just a test."

So, not red teamming, but still breaking into a house (power outage, and my friend had gotten into a very bad habit of using the garage door) now, doing a little first responder, and having some pretty basic breaking in skills due to my security work, and having worked in real estate, and seeing how successful people got into places I was f*in floored at her rental, and the either dumb luck or care that went into securing this house (sunday night, and locksmith was going to charge 150 for the call out, and 150 for every part hour on the job) the security door was shimmed open in seconds, and thats where all the promising progress ended, the main door was hung corrected, and a recess added to make pulling the latch hard, but also, the striker plate was installed correctly (the first time other I'd come across that in a rental) so, that wasn't an option (only took two coke cans to find that out) hinges on the other side right, went onto the garage door, an electronic roller door, no worriers, many of these you can either lift them with force they "pop" and you're just holding up the weights of the door, and a little spring I still havent worked fully how, but I managed to just slip a car jack under and short of damaging the door, that was no longer an option right, screw it, I will bend out the track, and pop the door out of the track, and get the much thinner than me renter to shimmy past and bam nope, i bent out the track with a hammer and screw driver, but it would not pop, because as I found, there was re-enforcing ribs bolted into the house frame every 15cm holding off the the door ever being able to skip off the track! it was an tin roof, so the other normal route of lifting tiles, and getting in the roof space (an oft overlooked easy quick way in) was off the table no, the method to get it was three coat hangers, a length of string, and enoscope and hooking onto the manual over ride from the top, dropping string, lifting the door, getting the other end, (and the real trick!) pulling back down on the door to take all the upwards load off the door, and pulling the override! i was pretty impressed (and I was happy as I have no clue where my lock picks are, and it is a skill I've not using in ten odd years, and I think it would have been something I dont think I would have been good enough to do at mu rusty arse state)

I flip houses for a living. The amount of times I've had neighbors call cops on me for breaking into a vacant house I just bought is astonishing. What's even more astonishing is in every single case, I have just told the cop I just bought the house and he just left, no further questions asked.

Thanks for doing what you do ☺️

Having worked as a security guard: Yeah you get no training. MAYBE you have to read a company binder on report procedure, or watch a corporate training video. You're there to be a visible uniform and/or car, that's it. It's a deterrent, you're not actually enforcing anything lol. I think the most I was ever asked to take an active hand in things was, once there was a site where it was a gated community and they wanted me to kick people out of the pool after 11. Sometimes they'd even listen! If anyone got belligerent with me my orders were to just stand down and note it in my log for the next morning. Once my boss sent me to a gig with a company car and my job was to just sit in the parking lot. If anyone hung around, I was supposed to turn my car's lights on and see if it scared them off. It's a weird job.

I love your vids dude! I've worked at so many facilities where nobody bothered reading our shift reports and it got to where at a data center, one person would badge in then hold a door leading to a "man trap", the next facility employee would badge open the other door and whole depts would enter/exit on 2 badges lol

You're missing a Key for electrical cabinets. But that often hangs on a wire next to the cabinet and is more there to ensure it stays closed when nobody tries to open them

A cool attack vector that I discovered in my company randomly. Prerequisites: 1. Be physically there. They have desks. Desks have company phones. 2. On the back of the phone there is a NAME of the person who owns the desk. 3. Often in the reception desk there is a list of common phone numbers. 24/7 IT support is your target. Attack: 1. Go to desk of the target person, get their name, make sure that the GENDER matches. If you're playing extra safe - try one who would (from their name) have presumably your accent (or an accent that you can fake). 2. Call 24/7 IT from the phone on the desk. Say "Oh my name is X, I can't log in. Something's wrong with my password. Could you reset? ... Yeah I know it's 10PM. I'm working on this report for tomorrow, just went out for a smoke and now login fails." 3. They will just SPELL YOUR NEW PASSWORD OUT TO YOU BY PHONE. Without any further need of ID, because they see that the phone number and name match in their registry. 4. BOOM. You have now logged in as person X. Perhaps person X is a finance clerk or HR. Or maybe a director? Or the local IT guy? Go wild, mate. And you'll be forgiven in thinking that my company had a shoddy service deal and it was just a fluke and it's not probable at all in a normal setting. Yep. It was shoddy. After all it was serviced by the shadiest of the companies: I.B.M.

Aaaaaannnd... I now have an EK333 key on the way ;) Fantastic presentation as always!

Fascinating. 👍👍

Love all of the TF2 visual aids!

Actual implants for cloning RFID... That's dedication!

With me, I dont even try to break in anywhere. In fact i dont even really care about social engineering. BUT, I do deliver pizza. The amount of places i've been let in is sort of funny. I remember being in a retrirement home sort of facility and there was a door that said it was alarmed etc.. I knew I had to get in there because its what the ticket said. I waited, an employee saw me standing there with food in hand and just put in the code and let me in. Even had to wait for an employee to let me out too or the door would have set off an alarm. Food delivery drivers are trusted quite easily ive come to notice.

Dude your one of my favorite presenters and I just realized it i feel like a dummy

Tomatoes, tomatoes. If you pronounced those differently, give yourself a gold star, because you're awesome

29:40 - the red shirt of that artillery dude is perfect for the context :D

Sweet another deviant talk, thanks deviant, one day I will go to one of your talks!

I don't know what a red team is, but this was still interesting.

Goodwill is a great place to get official collard uniforms. I have seen them all from sewage and water board, Entergy, Cox, AT&T Verizon Tyco, DHL you name it

great talk.

That moment you realize the red-team defends in Tf2

I LOVE THIS

good talk, but a minor correction: that was a 40mm Bofors, it's Swedish and not Austrian. that is all, cheers!

Deev seems like the guy that will actually fix your elevator while breaking in.

there are two elevator companies in the U.S. we have one of them, Hollister & Whitney

"no one notices" talking about locking out an elevator for hours...followed by "had people calling me all day about this" :-\ Good presentation, just thought this was funny.

I don't see why customers do not sue Dork-king etc. since their product is essentially worthless now with the key being publically available.

He is so right! Learn to at least id an improperly installed deadbolt i see them everywhere corporate ugh

nice one buddy

38:20 "our flame cabinet" sounds like just flames, by themself, for when one needs one

So let me get this straight. The security holes today were the same as three years ago? And I found old guides for people building their own homes, where those are talked about as well. (From the '70s) Not the digital stuff, but the physical. I remember the tip to change the lock on the case for the electricity and to position the letterbox in a way, the postman can access it without having keys to your property. xD

Looking like you belong is a method my father has used to legitimately enter restricted areas. High-vis vest and a toolbox (that could have literally anything inside), but no ID or anything. Just walks right in, looking like he knows what he's doing, and never gets stopped or asked for ID. Granted, he was actually doing jobs there, so he had a legit reason that could actually be verified by contacting his employer, but the point still stands.

My opinion of the CH751 is that its to prevent the thing from being opened by people who do not intend to open the thing

i like this guy very entertaining video

One time I did a job with my granddad, we were installing and troubleshooting a phone lane line routing issue and a cam system. We happened to go past the main server and network system for their internet, and I noticed a LAN turtle with the literal stereotypical bullshit tag on it saying I.T. do not remove so I brought it up and we don't know how long their network was compromised and it was a hotel that touted a secure internet system. I only knew it was a LAN turtle because I wanted (and still do) to get my hands on one. Although I do not know what finally became of it I know they got their ISP out the next day to look into it. for those wondering the problem with the phone system was that over half of the room phones were routed to the wrong portions of the building and almost all of them were miss labeled.

One time when I worked as a network engineer contractor, and needed to verify switch ports on multiple floors of a hotel to plan out the number of wireless APs needed. Got to the front desk and did not even show ID, although presented myself and whom I worked for, asked for the IT person on site to get access to some closets. I was told the IT person is also their accountant and is tied up in an offsite meeting, gave me an access card. I expected keys and was told that all doors use HID readers and the card is the master card that will open ANY door so I should have no issues getting what i needed. I was sort of in a shock and wanted to tell the person, what the hell is wrong with you. However did my job, and reported it to the main IT guy who said that is just standard to give contracts unlimited access. Insane.

Deviant and Jason street make me want to go into physical pen-testing but I have no clue how I would ever get into that job

I find it funny that you showed a Las Vegas police car in your presentation about 1284x, because they don’t use keyed alike cars. Source: owned one and know several others who did as well.

If i was mr ted talk i would get Mr Ollam on... every "episode"

I like the image he used for the security truck is my old company that died due to a lawsuit for abusing a loophole to take away guard's lunch.

Hunt pack inside clip board, place on reception desk, read all cards in reception desk?