WEBVTT 1 00:00:00.120 --> 00:00:03.080 Imagine a state of the art bank vault. Like we 2 00:00:03.120 --> 00:00:06.599 are talking three foot thick solid steel. 3 00:00:06.240 --> 00:00:08.880 Doors right the whole nine yards exactly. 4 00:00:09.240 --> 00:00:13.480 You've got invisible laser grids crisscrossing the floor, seismic sensors 5 00:00:13.519 --> 00:00:17.039 buried in the concrete, retinal scanners at the entrance, just 6 00:00:17.359 --> 00:00:21.480 you know, the ultimate impenetrable fortress. Unbeatable, right, totally unbeatable. 7 00:00:21.960 --> 00:00:24.839 But then the bank manager decides to prop the back 8 00:00:24.839 --> 00:00:28.679 door open with the brick because it is a nice 9 00:00:28.719 --> 00:00:30.600 spring day and they want to cross breeze. 10 00:00:30.640 --> 00:00:32.479 Oh wow, yeah. 11 00:00:32.119 --> 00:00:35.000 And just like that, a billion dollars worth of cutting 12 00:00:35.079 --> 00:00:39.640 edge security is riddered completely useless by like a single 13 00:00:39.799 --> 00:00:41.280 mundane human. 14 00:00:41.039 --> 00:00:42.759 Decision, which is terrifying. 15 00:00:42.840 --> 00:00:45.039 It really is. And that isn't just a fun metaphor. 16 00:00:45.159 --> 00:00:49.719 That is the exact reality of information security today. So 17 00:00:49.759 --> 00:00:51.920 our mission for this deep dive is to figure out 18 00:00:51.960 --> 00:00:54.600 how to truly protect our information and to do that, 19 00:00:54.840 --> 00:00:56.840 we have to learn how to break into our own systems. 20 00:00:56.880 --> 00:00:58.320 We have to think like the attackers. 21 00:00:58.479 --> 00:01:01.600 Exactly. We are pulling insights from a foundational guide in 22 00:01:01.640 --> 00:01:04.840 the space. It's called Hacking for Dummies, fourth edition by 23 00:01:04.920 --> 00:01:05.439 Kevin Beaver. 24 00:01:05.799 --> 00:01:10.319 It is an incredibly eye opening exploration of vulnerability because 25 00:01:10.400 --> 00:01:13.840 you know, what becomes rapidly apparent is that the traditional 26 00:01:13.959 --> 00:01:17.760 view of security, like building a taller wall, is often 27 00:01:17.840 --> 00:01:19.879 just looking in the wrong direction, entirely. 28 00:01:19.680 --> 00:01:22.640 Totally so for you listening, whether you are an it 29 00:01:22.959 --> 00:01:26.280 professional prepping for a corporate audit, or you know you 30 00:01:26.359 --> 00:01:29.599 are just insanely curious about how real world attackers operate, 31 00:01:30.200 --> 00:01:33.799 we are going to reveal that the biggest threats aren't complex. 32 00:01:34.359 --> 00:01:37.200 They aren't like scrolling lines of green code in a. 33 00:01:37.239 --> 00:01:39.239 Dark room, right, the whole Hollywood hacker thing. 34 00:01:39.359 --> 00:01:42.640 Yeah, exactly. Sometimes the biggest threats are as simple as 35 00:01:42.680 --> 00:01:45.680 a friendly conversation in a lobby and unlocked office door, 36 00:01:46.120 --> 00:01:49.239 or someone literally using the word password to protect their 37 00:01:49.239 --> 00:01:49.840 life's work. 38 00:01:50.000 --> 00:01:51.840 It happens way more often than you'd think. 39 00:01:52.000 --> 00:01:54.400 Okay, let's unpack this. Before we can even begin to 40 00:01:54.400 --> 00:01:58.359 stop an attack, we have to understand the modern threat landscape. 41 00:01:58.480 --> 00:02:01.120 We need to define who is act doing the attacking 42 00:02:01.439 --> 00:02:04.400 because pop culture has completely scrambled the terminology. 43 00:02:04.480 --> 00:02:06.840 Yeah, they really have. The media uses hacker as a 44 00:02:06.840 --> 00:02:10.680 catch all term for cyber criminals, but historically hackers are 45 00:02:10.719 --> 00:02:11.960 just tinkerers. 46 00:02:11.680 --> 00:02:14.000 Like people who just like to take things apart exactly. 47 00:02:14.360 --> 00:02:17.759 They are the curious engineers who want to reverse engineer 48 00:02:17.840 --> 00:02:20.759 a system just to see how it ticks. They aren't 49 00:02:20.759 --> 00:02:22.039 inherently malicious. 50 00:02:22.400 --> 00:02:24.680 Okay, So what do we call the bad guys? Right? 51 00:02:24.960 --> 00:02:28.000 The actual criminals, the ones seeking personal financial gain or 52 00:02:28.000 --> 00:02:31.439 causing malicious destruction. They are technically called. 53 00:02:31.439 --> 00:02:34.879 Crackers crackers okay, yeah, but then you have the third category, right, 54 00:02:35.039 --> 00:02:36.159 malicious users? 55 00:02:36.319 --> 00:02:38.439 Yes, the insiders right. 56 00:02:38.400 --> 00:02:42.520 Rogue employees, contractors, or interns. I was looking at the 57 00:02:42.520 --> 00:02:46.560 statistics on this, and historically a massive eighty percent of 58 00:02:46.599 --> 00:02:49.240 security breaches are traced back to insiders. 59 00:02:49.319 --> 00:02:50.400 It's a huge number. 60 00:02:50.759 --> 00:02:53.280 It's wild. Wait, so if eight out of ten breaches 61 00:02:53.360 --> 00:02:56.599 are just like Jim from accounting snooping where he shouldn't, 62 00:02:56.800 --> 00:02:59.840 why is the industry so utterly obsessed with mask ci 63 00:03:00.240 --> 00:03:03.759 criminals in remote countries. Shouldn't companies just hyper focus on 64 00:03:03.840 --> 00:03:05.319 monitoring their own coworkers? 65 00:03:05.439 --> 00:03:07.879 Well, it is tempting to think that way. Yeah, but 66 00:03:08.039 --> 00:03:11.400 insider threats and external threats operate on two completely different 67 00:03:11.479 --> 00:03:15.199 threat models. How so insiders are incredibly dangerous because of 68 00:03:15.199 --> 00:03:17.919 their starting position. I mean, they don't have to bypass 69 00:03:17.960 --> 00:03:20.240 the external fire while they are already sitting at a 70 00:03:20.280 --> 00:03:22.360 desk on the trusted side of the network. 71 00:03:22.439 --> 00:03:25.120 Oh right, they already have the keys to the building exactly. 72 00:03:25.719 --> 00:03:29.400 Furthermore, an external attacker might spend weeks digging through a 73 00:03:29.479 --> 00:03:32.520 network trying to figure out where the valuable data is kept. 74 00:03:32.960 --> 00:03:37.240 But Jim from Accounting he already knows exactly which server 75 00:03:37.560 --> 00:03:41.759 holds the unencrypted Q three financial projections. 76 00:03:41.240 --> 00:03:43.199 Because he works there. He has the map. 77 00:03:43.240 --> 00:03:47.000 He has the map. But you absolutely cannot ignore the 78 00:03:47.039 --> 00:03:50.960 external threat because of a mathematical reality. If we connect 79 00:03:51.000 --> 00:03:53.520 this to the bigger picture, it all comes down to 80 00:03:53.560 --> 00:03:57.000 what security professionals call the law of averages. 81 00:03:56.960 --> 00:03:59.759 Which dictates that if a system exists, it will eventually 82 00:03:59.759 --> 00:04:00.560 be compromise. 83 00:04:00.639 --> 00:04:04.960 Precisely, with the sheer growth of system complexity, the explosion 84 00:04:04.960 --> 00:04:10.360 of mobile devices, and the complete reliance on distributed cloud computing, 85 00:04:10.879 --> 00:04:13.080 your attack surface is virtually infinite. 86 00:04:13.159 --> 00:04:14.199 Right, everything is connected. 87 00:04:14.439 --> 00:04:17.800 You might have ten thousand devices connecting to your network daily. 88 00:04:18.399 --> 00:04:22.959 The probability of zero vulnerabilities across all those endpoints approaches zero. 89 00:04:23.279 --> 00:04:25.600 It is a mathematical inevitability. 90 00:04:25.959 --> 00:04:29.680 So while the insider thread is potent and targeted, the 91 00:04:29.879 --> 00:04:32.920 external threats are just this constant evolving barrage. 92 00:04:33.160 --> 00:04:36.399 Exactly, a constant barrage, and that barrage comes in a 93 00:04:36.399 --> 00:04:37.240 lot of different flavors. 94 00:04:37.319 --> 00:04:39.399 Right, You've got script kitties, the novices. 95 00:04:39.480 --> 00:04:40.560 Oh, the script kitties. 96 00:04:40.800 --> 00:04:44.160 They just download free, pre written exploit frameworks off the 97 00:04:44.160 --> 00:04:48.279 Internet and fire them blandly at networks without really understanding 98 00:04:48.360 --> 00:04:49.360 the underlying code. 99 00:04:49.560 --> 00:04:53.040 Right. They are noisy, They crash servers by accident, and 100 00:04:53.079 --> 00:04:56.399 they leave massive digital fingerprints in the server logs. 101 00:04:56.600 --> 00:04:57.439 Just totally sloppy. 102 00:04:57.519 --> 00:04:57.759 Yeah. 103 00:04:57.759 --> 00:05:00.439 But on the completely opposite end of the spectrum, you 104 00:05:00.519 --> 00:05:02.120 have security researchers. 105 00:05:02.480 --> 00:05:06.000 Yeah, these are the elite architects. They hunt for undiscovered 106 00:05:06.079 --> 00:05:10.160 vulnerabilities like zero days and responsibly disclose them to software 107 00:05:10.240 --> 00:05:11.480 vendors so they can be patched. 108 00:05:11.720 --> 00:05:15.160 Okay, so yeah, the novices and the elite researchers. But 109 00:05:15.240 --> 00:05:16.480 they're a bunch in the middle too. 110 00:05:16.759 --> 00:05:20.079 The motivations in the middle of that spectrum are incredibly varied. 111 00:05:20.480 --> 00:05:25.240 You have activists breaking into systems to deface websites and 112 00:05:25.279 --> 00:05:29.879 disseminate political messages. You have cyber terrorists whose stated goal 113 00:05:30.040 --> 00:05:33.639 is to attack critical infrastructure, you know, compromising water treatment 114 00:05:33.639 --> 00:05:35.160 plans or air traffic. 115 00:05:34.839 --> 00:05:36.600 Control systems, which is terrifying. 116 00:05:36.720 --> 00:05:39.399 And then you have the hackers for hire. These are 117 00:05:39.519 --> 00:05:45.439 organized crime syndicates operating like modern corporations, running ransomware campaigns 118 00:05:45.480 --> 00:05:47.439 for massive financial. 119 00:05:46.879 --> 00:05:50.680 Payouts, which is exactly why the industry relies on ethical hacking. 120 00:05:50.879 --> 00:05:51.040 Yeah. 121 00:05:51.079 --> 00:05:53.920 I mean, to beat an attacker, you have to emulate 122 00:05:54.000 --> 00:05:55.240 their tactics. 123 00:05:54.759 --> 00:05:56.480 Perfectly, right, you have to play their game. 124 00:05:56.879 --> 00:06:00.279 But ethical hackers operate under strict commandments, right Like you 125 00:06:00.279 --> 00:06:04.120 always secure explicit written permission before touching. 126 00:06:03.879 --> 00:06:06.160 A network, absolutely, that is rule number one. 127 00:06:06.279 --> 00:06:09.120 You fiercely respect the privacy of the data you uncover, 128 00:06:09.240 --> 00:06:12.800 and most importantly, you never ever crash the system you 129 00:06:12.839 --> 00:06:15.680 are testing. You were there to find the structural weaknesses, 130 00:06:15.959 --> 00:06:17.240 not to burn the house down. 131 00:06:17.360 --> 00:06:21.040 And what ethical hackers frequently discover is that the easiest 132 00:06:21.040 --> 00:06:24.160 way to break into the house isn't through a digital window. 133 00:06:24.720 --> 00:06:26.839 It is by walking right up to the front door, 134 00:06:27.120 --> 00:06:29.199 ringing the bell and being invited inside. 135 00:06:29.319 --> 00:06:32.399 Oh man, Yeah, there's this great concept that came across 136 00:06:32.439 --> 00:06:34.439 on the material called candy security. 137 00:06:34.560 --> 00:06:35.879 Oh. I love this analogy. 138 00:06:36.240 --> 00:06:39.000 Organizations love to build themselves up like a piece of candy. 139 00:06:39.360 --> 00:06:45.959 They have a hard, crunchy outside massive network, firewalls, military 140 00:06:46.000 --> 00:06:51.439 grade encryption tunnels, automated intrusion prevention system. A hard shell exactly, 141 00:06:51.759 --> 00:06:54.800 But if you bypass that perimeter, you have a soft, 142 00:06:54.959 --> 00:06:57.800 chewy inside. It reminds me of a medieval castle. You've 143 00:06:57.800 --> 00:07:00.199 got the moat, the portcullis, the archer station on the 144 00:07:00.199 --> 00:07:03.279 stone walls. It looks impenetrable, right, But if an attacker 145 00:07:03.319 --> 00:07:05.199 just walks up to the drawbridge carrying a basket of 146 00:07:05.240 --> 00:07:08.279 fresh bread and smiles warmly at the guard, the guard 147 00:07:08.319 --> 00:07:10.639 lowers the bridge and lets them walk right into the courtyard. 148 00:07:10.720 --> 00:07:13.759 What's fascinating here is that you are describing social engineering. 149 00:07:13.959 --> 00:07:16.480 It is the exploitation of the trusting nature of human 150 00:07:16.480 --> 00:07:20.399 beings for malicious gain, and it is arguably the hardest 151 00:07:20.439 --> 00:07:24.279 attack vector to defend against, simply because you cannot patch 152 00:07:24.399 --> 00:07:26.399 human empathy with a software update. 153 00:07:26.639 --> 00:07:30.079 You really can't. The case study from professional social engineer 154 00:07:30.120 --> 00:07:32.360 Ira Winkler illustrates this perfectly. 155 00:07:32.480 --> 00:07:35.079 Oh the Winkler case. This is a classic. 156 00:07:35.319 --> 00:07:38.600 It's so good. So Winkler was hired by a major 157 00:07:38.639 --> 00:07:42.600 corporation to test their security. He in an accomplice target 158 00:07:42.680 --> 00:07:45.360 the main headquarters during the morning rush. They don't have 159 00:07:45.399 --> 00:07:49.120 employee badges. They just walk through the front doors, pretending 160 00:07:49.160 --> 00:07:51.800 to be engrossed in a deep, serious conversation on their 161 00:07:51.839 --> 00:07:55.680 cell phones. Right, and they breeze right past the lobby attendant. 162 00:07:55.399 --> 00:07:58.720 Exploiting a fundamental social norm. I mean, most polite people 163 00:07:58.800 --> 00:08:02.480 will actively avoid Lloyd interrupting a stranger who is clearly 164 00:08:02.519 --> 00:08:04.120 in the middle of an important phone call. 165 00:08:04.279 --> 00:08:07.240 Exactly. It creates a psychological blind spot, it really does. 166 00:08:07.399 --> 00:08:11.000 So they get inside, locate an empty conference room, and 167 00:08:11.120 --> 00:08:14.199 use the internal company phone to dial the front desk. Yeah, 168 00:08:14.240 --> 00:08:17.800 Winkler poses as the company's chief information officer. 169 00:08:17.639 --> 00:08:20.120 Just completely brazen seriously. 170 00:08:20.040 --> 00:08:22.480 He tells the desk attendant, I've a couple of subcontractors 171 00:08:22.480 --> 00:08:25.399 coming down to the lobby. They need temporary visitor badges. 172 00:08:26.040 --> 00:08:29.319 The desk says, no problem. Winkler and his buddy hang up, 173 00:08:29.639 --> 00:08:31.360 walk back down to the lobby and pick up the 174 00:08:31.360 --> 00:08:33.279 badges they just authorize for themselves. 175 00:08:33.399 --> 00:08:39.200 They transition from unbadged strangers to documented expected guests in 176 00:08:39.240 --> 00:08:44.000 about five minutes. But the truly catastrophic failure happens next. 177 00:08:44.120 --> 00:08:48.320 Yes, a uniform security guard hands them their new temporary 178 00:08:48.320 --> 00:08:51.120 badges and politely asks, so what are you guys working 179 00:08:51.159 --> 00:08:55.759 on today. Winkler just casually replies computers, Yes, computers, the computers, 180 00:08:55.799 --> 00:08:57.799 and the guard says, oh, do you need access to 181 00:08:57.840 --> 00:08:58.799 the main computer room. 182 00:08:58.919 --> 00:09:02.039 It is stunning. The guard is actively facilitating the breach. 183 00:09:02.320 --> 00:09:05.960 Winkler says, that would help. Within two hours of walking 184 00:09:06.000 --> 00:09:08.159 into that building with nothing but a fake phone call, 185 00:09:08.440 --> 00:09:10.679 they use their new access to enter the main computer 186 00:09:10.720 --> 00:09:13.960 server room, sit down at a terminal, add a new 187 00:09:14.080 --> 00:09:17.879 user profile to the Windows domain, and grant themselves full 188 00:09:17.960 --> 00:09:22.879 administrator rights over the entire global corporate network in two hours. 189 00:09:22.919 --> 00:09:23.519 Two hours. 190 00:09:23.840 --> 00:09:28.080 Social engineers are exploiting something deeply ingrained in our psychology, 191 00:09:28.279 --> 00:09:32.039 like the natural human desire to be a team player. 192 00:09:32.559 --> 00:09:35.279 They rely heavily on two main tactics. 193 00:09:35.399 --> 00:09:36.279 Okay, what are they? 194 00:09:36.399 --> 00:09:40.440 The first is likability. They find common ground. They are courteous, 195 00:09:40.480 --> 00:09:44.399 they make eye contact and smile. We are biologically wired 196 00:09:44.440 --> 00:09:46.360 to want to help someone we find agreeable. 197 00:09:46.440 --> 00:09:47.000 That makes sense. 198 00:09:47.080 --> 00:09:50.279 And the second, the second tactic, is believability. They act 199 00:09:50.320 --> 00:09:52.480 like they belong there. They wear the uniform of the 200 00:09:52.480 --> 00:09:56.080 corporate culture. They might casually name drop a department head 201 00:09:56.080 --> 00:10:00.799 they found on LinkedIn or you use specific internal company right. 202 00:10:00.879 --> 00:10:03.519 They do their homework. But there are warning signs like 203 00:10:03.600 --> 00:10:06.120 you have to be vigilant if someone is acting overly 204 00:10:06.159 --> 00:10:09.120 friendly out of nowhere, or if they are needlessly name 205 00:10:09.200 --> 00:10:11.440 dropping executives to establish authority. 206 00:10:11.519 --> 00:10:12.120 Absolutely. 207 00:10:12.240 --> 00:10:16.600 Another massive tell is over emphasizing details like if someone 208 00:10:16.639 --> 00:10:18.799 gives you a three minute back story about their morning 209 00:10:18.799 --> 00:10:22.039 commute just to ask for a temporary badge, or if 210 00:10:22.080 --> 00:10:24.840 they start answering questions you haven't even asked yet. That 211 00:10:25.000 --> 00:10:27.360 is a huge red flag. That is the sign of 212 00:10:27.360 --> 00:10:31.000 a deceptive narrative being actively nervously constructive. 213 00:10:31.120 --> 00:10:35.320 Precisely, the social engineer's entire goal is to bypass the 214 00:10:35.320 --> 00:10:39.120 digital firewall by manipulating the human element. And if a 215 00:10:39.120 --> 00:10:42.320 social engineer can simply ask a uniformed guard for a 216 00:10:42.360 --> 00:10:44.840 badge to the server room, it makes you wonder what 217 00:10:44.879 --> 00:10:48.360 happens when they don't even bother asking. Right, social engineering 218 00:10:48.440 --> 00:10:52.320 seamlessly transitions into physical security, breaches the physical. 219 00:10:51.960 --> 00:10:55.960 Layer, the absolute bedrock that all digital security rests upon. 220 00:10:56.480 --> 00:10:59.080 I was reading about Jack Wiles, a pioneer in physical 221 00:10:59.080 --> 00:11:02.720 penetration testing, and his team's tactics are mind blowing. They 222 00:11:02.720 --> 00:11:05.799 really are. Wiles operated under the philosophy that millions of 223 00:11:05.840 --> 00:11:10.399 dollars in electronic countermeasures like smart card readers, biometric scanners. 224 00:11:10.639 --> 00:11:14.320 They're completely worthless if your physical security protocols are weak, 225 00:11:14.360 --> 00:11:16.960 because you can just walk past them exactly. His team's 226 00:11:17.039 --> 00:11:21.080 most successful tactic for infiltrating corporate headquarters wasn't a complex hack. 227 00:11:21.320 --> 00:11:22.720 It was tailgating, right. 228 00:11:23.440 --> 00:11:26.519 They exploit the mechanics of access control. You know, when 229 00:11:26.559 --> 00:11:30.720 an employee swipes a valid badge, the electronic lock disengages 230 00:11:31.240 --> 00:11:34.039 and the door mechanism holds the door open for roughly 231 00:11:34.120 --> 00:11:34.919 three to five. 232 00:11:34.799 --> 00:11:37.759 Seconds, and Wiles and his Red team would just hang 233 00:11:37.799 --> 00:11:41.879 out near the dis needed employee smoking area outside. When 234 00:11:41.879 --> 00:11:44.279 the employees finish their break and swipe their badges to 235 00:11:44.320 --> 00:11:47.919 go back inside, Wiles would just smile, say thank you, 236 00:11:48.320 --> 00:11:51.200 grab the door handle before it clicks shut, and walk 237 00:11:51.320 --> 00:11:52.240 right in behind them. 238 00:11:52.320 --> 00:11:53.039 It's that simple. 239 00:11:53.200 --> 00:11:55.120 I have to ask you listening to this right now, 240 00:11:56.080 --> 00:11:57.960 how many times have you held the door open for 241 00:11:58.000 --> 00:12:00.279 someone of your office just to be polite. You see 242 00:12:00.279 --> 00:12:02.120 a person with their hands full of coffee cups, you 243 00:12:02.159 --> 00:12:04.879 hold the door. It is common decency, of course, but 244 00:12:04.960 --> 00:12:09.440 to an attacker, your common decency is a highly exploitable 245 00:12:09.519 --> 00:12:10.679 access vulnerability. 246 00:12:11.039 --> 00:12:13.679 And if Wiles or his team were ever stopped and 247 00:12:13.759 --> 00:12:17.200 challenged in the hallway by a vigilant employee, they didn't panic. 248 00:12:17.559 --> 00:12:20.720 They used a pre planned, low stakes narrative like what 249 00:12:20.960 --> 00:12:22.759 they'd just say, Oh, we thought this was the human 250 00:12:22.799 --> 00:12:26.080 resources department. We're here to apply for the open analyst position. 251 00:12:26.200 --> 00:12:27.360 Oh that's smart, right. 252 00:12:27.960 --> 00:12:31.879 The employee, realizing they just confronted a nervous job applicant, 253 00:12:32.080 --> 00:12:36.080 would usually apologize, give them directions, and let them wander 254 00:12:36.120 --> 00:12:37.440 off deeper into the facility. 255 00:12:37.480 --> 00:12:39.559 Wait, hold on, I need to ask about another physical 256 00:12:39.600 --> 00:12:42.159 tactic mentioned in the text, dumpster diving. 257 00:12:42.279 --> 00:12:44.799 Ah, yes, dumpster diving. 258 00:12:44.879 --> 00:12:48.240 We are talking about cybermasterminds who can code circles around 259 00:12:48.240 --> 00:12:52.120 network intrusion systems. You're telling me they are actually physically 260 00:12:52.159 --> 00:12:56.120 climbing into dumpsters and digging through half eaten tuna sandwiches 261 00:12:56.120 --> 00:12:58.799 and coffee grounds in an alleyway. That feels like a 262 00:12:58.840 --> 00:12:59.919 Hollywood movie trope. 263 00:13:00.240 --> 00:13:03.000 It absolutely sounds like a movie trope until you realize 264 00:13:03.039 --> 00:13:06.879 the sheer intelligence value of what organizations routinely throw away 265 00:13:07.399 --> 00:13:09.519 paper is the original unencrypted hard drive. 266 00:13:09.559 --> 00:13:10.360 Okay, fair point. 267 00:13:11.039 --> 00:13:14.799 Jack Wiles's team would specifically target organizations that used standard 268 00:13:14.840 --> 00:13:19.519 strip cut shredders. Companies think they are practicing good operational security, right, 269 00:13:20.000 --> 00:13:23.600 but they put those long shredded strips into clear plastic bags. 270 00:13:24.039 --> 00:13:27.759 Wiles's team would steal those bags out of the recycling bins, 271 00:13:27.879 --> 00:13:30.519 take them back to a secure lab, take the strips 272 00:13:30.559 --> 00:13:33.639 to a piece of cardboard and inch apart, and literally 273 00:13:34.039 --> 00:13:38.240 reconstruct and read confidential financial data within a few hours. 274 00:13:38.480 --> 00:13:41.279 Wow, they just put the puzzle back together exactly. 275 00:13:41.840 --> 00:13:44.879 If you aren't using a crosscut shredder that turns sensitive 276 00:13:44.879 --> 00:13:48.759 documents into microscopic confetti, you aren't destroying data. You are 277 00:13:48.799 --> 00:13:51.240 just momentarily inconveniencing the attacker. 278 00:13:51.360 --> 00:13:54.840 Okay, that makes sense, But the physical vulnerability that truly 279 00:13:54.879 --> 00:13:58.360 blew my mind is the open network. Jack. Think about 280 00:13:58.360 --> 00:14:02.279 a typical corporate lobby where get weight. There is almost 281 00:14:02.320 --> 00:14:05.919 always a voiceover IP phone a VoIP phone sitting on 282 00:14:06.000 --> 00:14:08.039 a table or the receptionist. 283 00:14:07.600 --> 00:14:10.639 Desk, a phone that is physically plugged directly into the 284 00:14:10.639 --> 00:14:12.360 company's internal data network. 285 00:14:12.519 --> 00:14:15.039 Right. The attacker doesn't even need to get past the lobby. 286 00:14:15.240 --> 00:14:17.919 They just sit on the waiting couch, unplug the Ethernet 287 00:14:17.919 --> 00:14:20.399 cable from the back of the VOYP phone. Plug that 288 00:14:20.440 --> 00:14:23.840 cable directly into their laptop, and boom, They're in. Because 289 00:14:23.840 --> 00:14:26.799 they are physically plugged into an internal wallport, they are 290 00:14:26.840 --> 00:14:31.440 already behind the perimeter firewall. They bypass the crunchy outside completely. 291 00:14:31.600 --> 00:14:35.679 That perfectly illustrates why physical security failures are so devastating. 292 00:14:36.399 --> 00:14:40.639 Digital security is primarily outward facing. You can buy the 293 00:14:40.639 --> 00:14:44.919 most expensive intrusion detection software on the market. But what 294 00:14:44.960 --> 00:14:49.279 if the facilities team never changed the default administrator password 295 00:14:49.360 --> 00:14:52.799 on the IP based security cameras hanging in the hallway. 296 00:14:52.519 --> 00:14:54.200 Right the cameras are just wide open. 297 00:14:54.360 --> 00:14:57.000 Or what if an attacker physically walks into an empty 298 00:14:57.000 --> 00:15:02.399 cubicle and plugs a tiny cellular enabled penetration drop box 299 00:15:02.720 --> 00:15:05.159 into a standard power outlet behind a desk. 300 00:15:05.360 --> 00:15:06.320 Oh Man, your. 301 00:15:06.200 --> 00:15:09.279 Million dollar digital defenses are staring out at the Internet, 302 00:15:09.320 --> 00:15:12.279 completely oblivious to the fact that the attacker is already 303 00:15:12.320 --> 00:15:16.039 inside the room, broadcasting your internal network traffic over a 304 00:15:16.080 --> 00:15:17.480 five G cellular connection. 305 00:15:17.679 --> 00:15:20.879 Here's where it gets really interesting. Let's see the attackers inside. 306 00:15:21.000 --> 00:15:24.039 They've bypassed the receptionist, They've plugged into the wall. They 307 00:15:24.039 --> 00:15:27.080 are on the network. Okay, the final barrier between them 308 00:15:27.159 --> 00:15:30.240 and the Kingdom's crown jewels is usually a password, and 309 00:15:30.279 --> 00:15:32.960 as the math shows us, a password is barely a 310 00:15:33.000 --> 00:15:33.720 barrier at all. 311 00:15:33.799 --> 00:15:36.559 It is the ultimate false sense of security, and that 312 00:15:36.679 --> 00:15:38.879 is primarily due to human psychology. 313 00:15:39.159 --> 00:15:41.720 It is the absurdity of human nature. We have the 314 00:15:41.759 --> 00:15:48.279 computing capability to create trillion combination mathematically unbreakable passwords, Yet 315 00:15:48.440 --> 00:15:50.080 what do people actually do. 316 00:15:50.039 --> 00:15:51.200 They use the word password. 317 00:15:51.320 --> 00:15:54.440 Yes, we use the word password. We use abc one 318 00:15:54.440 --> 00:15:57.559 two three, or we write our complex password on a 319 00:15:57.600 --> 00:15:59.559 yellow sticky note and slap it right on the bezel 320 00:15:59.600 --> 00:16:03.320 of the monitor. We prioritize our own short term convenience 321 00:16:03.480 --> 00:16:06.559 over our own long term security every single time. 322 00:16:06.919 --> 00:16:10.039 But you know, even if an employee uses a reasonably 323 00:16:10.320 --> 00:16:14.960 complex password, the underlying technology storing that password might still 324 00:16:15.000 --> 00:16:15.559 betray them. 325 00:16:15.639 --> 00:16:16.480 How does that work? 326 00:16:16.879 --> 00:16:19.519 This requires a quick look at the mechanics of hash cracking. 327 00:16:20.000 --> 00:16:23.000 When you create a password, the computer operating system does 328 00:16:23.039 --> 00:16:25.000 not save the actual plaintext word, right. 329 00:16:25.080 --> 00:16:27.279 It doesn't just save it in a text file exactly. 330 00:16:27.360 --> 00:16:30.919 It runs your word through a cryptographic one way encryption algorithm, 331 00:16:31.200 --> 00:16:34.679 turning it into a fixed string of hexadecimal gibberish. That 332 00:16:34.759 --> 00:16:36.600 string is called a hash I. 333 00:16:36.519 --> 00:16:38.360 Love the analogy of a meat grinder for this. You 334 00:16:38.399 --> 00:16:39.960 put a prime stake into a meat grinder and you 335 00:16:40.039 --> 00:16:43.200 get ground beef out, but you cannot run the grinder 336 00:16:43.240 --> 00:16:45.639 in reverse to turn the ground beef back into a stake. 337 00:16:46.000 --> 00:16:47.480 That's a perfect way to look at it. 338 00:16:47.480 --> 00:16:50.440 It is mathematically a one way function. So when you 339 00:16:50.480 --> 00:16:53.120 log in tomorrow, the computer grinds up the password you 340 00:16:53.240 --> 00:16:56.600 just talked and compares the new ground beef to the 341 00:16:56.639 --> 00:16:59.799 ground beef. It is stored in its database. If the 342 00:17:00.480 --> 00:17:02.440 match perfectly, it unlocks the door. 343 00:17:02.639 --> 00:17:05.200 That's a great way to visualize it. For decades, attackers 344 00:17:05.200 --> 00:17:09.319 relied on brute force attacks. The attacker steals the database 345 00:17:09.359 --> 00:17:12.599 of ground beef and their computer just rapidly guesses every 346 00:17:12.640 --> 00:17:15.599 single word in the English dictionary, runs it through the 347 00:17:15.599 --> 00:17:19.440 hashing algorithm, and checks if the output matches the stolen hash. 348 00:17:19.599 --> 00:17:23.559 But running that mathematical calculation millions of times takes CPU 349 00:17:23.720 --> 00:17:26.960 power and more importantly, a massive amount of time. 350 00:17:27.160 --> 00:17:30.119 Right, it could take years for a truly complex password. 351 00:17:30.680 --> 00:17:35.240 But doctor Philippe Oaksland completely shattered this paradigm. He researched 352 00:17:35.240 --> 00:17:38.079 a technique called rainbow cracking, which relies on the time 353 00:17:38.119 --> 00:17:38.920 memory trade off. 354 00:17:38.960 --> 00:17:39.759 Tell me more about that. 355 00:17:39.920 --> 00:17:42.680 Doctor Ouxslann realized there was a fatal flaw in how 356 00:17:42.720 --> 00:17:46.880 older Windows operating systems, specifically the LM and NTLM protocols, 357 00:17:47.240 --> 00:17:49.559 handled hashing. They lack something. 358 00:17:49.319 --> 00:17:50.920 Called a salt. Yeah. 359 00:17:51.559 --> 00:17:54.519 A cryptographic salt is simply a random string of extra 360 00:17:54.640 --> 00:17:57.799 characters seamlessly added to your password before it gets hashed. 361 00:17:58.240 --> 00:18:01.839 It ensures that if twomployees both use the password Apple, 362 00:18:02.440 --> 00:18:05.160 their resulting hashes will look completely different because the salt 363 00:18:05.200 --> 00:18:05.599 is different. 364 00:18:05.720 --> 00:18:09.319 Ah okay, but without assault, the word Apple will always 365 00:18:09.400 --> 00:18:13.000 produce the exact same sixty four character string of gibberish 366 00:18:13.319 --> 00:18:16.480 every single time, on every single Windows machine in the 367 00:18:16.480 --> 00:18:17.519 world exactly. 368 00:18:17.960 --> 00:18:22.119 So doctor Oakesland realized, why are we wasting computing power 369 00:18:22.240 --> 00:18:24.880 calculating these hashes over and over again on the fly. 370 00:18:25.599 --> 00:18:28.119 Let's just pre calculate them all once and save the answers. 371 00:18:28.240 --> 00:18:28.759 Oh wow. 372 00:18:29.079 --> 00:18:32.720 He and his team generated massive dictionaries containing every possible 373 00:18:32.759 --> 00:18:36.279 password combination, hashed them, and stored the results in a 374 00:18:36.279 --> 00:18:40.359 one gigabyte table containing two hundred and fifty million pre 375 00:18:40.519 --> 00:18:42.839 calculated entries. These are called Rainbow tables. 376 00:18:42.920 --> 00:18:45.039 So he traded the computing time it takes to guess 377 00:18:45.039 --> 00:18:47.640 a password for the hard drive memory required to store 378 00:18:47.680 --> 00:18:50.880 the pre guest answers. Yes, it turns a complex mathematical 379 00:18:50.920 --> 00:18:55.359 decryption problem into a simple, lightning fast database lookup, and. 380 00:18:55.519 --> 00:18:59.799 The efficiency gains are terrifying. Instead of spending days brute 381 00:18:59.799 --> 00:19:03.400 for it, sing Ochland's tool compared the stolen hashes against 382 00:19:03.400 --> 00:19:08.039 his rainbow tables and cracked one and forty five Windows 383 00:19:08.079 --> 00:19:11.519 passwords in an average of seven point seven seconds. 384 00:19:11.759 --> 00:19:15.599 Seven point seven seconds to shatter a network security that 385 00:19:15.799 --> 00:19:18.799 is wild, and the tools to do this are widely available, 386 00:19:18.880 --> 00:19:21.279 right like, let's break down how they actually work. You 387 00:19:21.359 --> 00:19:24.400 have a tool like pwump three. This is the heist. 388 00:19:24.759 --> 00:19:27.839 It targets the Windows Security Accounts Manager at the SAM database. 389 00:19:28.319 --> 00:19:32.079 It extracts the raw locked hashes out of the operating system. 390 00:19:32.119 --> 00:19:34.400 It grabs the lock safes. Then you need the safe 391 00:19:34.400 --> 00:19:35.359 crackers exactly. 392 00:19:35.480 --> 00:19:38.279 Then you have off crack. This tool is brilliant because 393 00:19:38.279 --> 00:19:40.519 it boots up bright from a CD or a USB drive. 394 00:19:40.920 --> 00:19:44.319 By booting from external media, it bypasses the Windows operating 395 00:19:44.359 --> 00:19:45.759 system file locks entirely. 396 00:19:45.880 --> 00:19:46.759 It's very clever. 397 00:19:46.920 --> 00:19:49.559 He grabs the hashes and uses those massive rainbow tables 398 00:19:49.599 --> 00:19:52.799 we just talked about to cross reference the answers instantly. 399 00:19:52.359 --> 00:19:54.480 And if the password is too complex or it uses 400 00:19:54.519 --> 00:19:57.160 as salt that defeats the rainbow table, attackers fall back 401 00:19:57.160 --> 00:19:58.200 on John the Ripper. 402 00:19:58.000 --> 00:19:59.720 Oh, the legendary brute force tool. 403 00:20:00.039 --> 00:20:05.319 Exactly. It doesn't just guesswords. It uses highly customizable mutation 404 00:20:05.519 --> 00:20:09.960 rules like if the dictionary word password fails, John the 405 00:20:10.000 --> 00:20:13.240 Ripper automatically mutates the guess. It'll swak the A for 406 00:20:13.279 --> 00:20:16.119 an at the O for a zero, maybe add a 407 00:20:16.200 --> 00:20:17.079 one at the end. 408 00:20:17.400 --> 00:20:21.119 Oh. So it intelligently mimics how humans attempt to create 409 00:20:21.160 --> 00:20:22.279 complex passwords. 410 00:20:22.480 --> 00:20:26.519 Yes, this raises an important question. If ethical hackers have 411 00:20:26.640 --> 00:20:30.319 easy open source access to these lightning fast cracking utilities, 412 00:20:30.680 --> 00:20:34.200 we must assume that malicious actors possess even more, highly 413 00:20:34.200 --> 00:20:36.400 optimized cloud computing powered versions. 414 00:20:36.440 --> 00:20:37.119 Without a doubt. 415 00:20:37.400 --> 00:20:41.680 It proves mathematically that standard passwords made exclusively of basic 416 00:20:41.799 --> 00:20:45.480 letters and numbers are completely obsolete. The digital lock is broken, 417 00:20:45.599 --> 00:20:48.240 which makes sense. This is why the entire industry is 418 00:20:48.319 --> 00:20:52.319 desperately pushing for multi factor authentication, requiring not just something 419 00:20:52.359 --> 00:20:54.960 you know like a password, but something you physically possess, 420 00:20:55.359 --> 00:20:58.559 like a biometric fingerprint or a hardware token. 421 00:20:58.400 --> 00:21:00.680 Because if they can crack your complex pass in under 422 00:21:00.720 --> 00:21:03.279 eight seconds, that lock digital door is essentially made of 423 00:21:03.319 --> 00:21:06.319 paper pretty much. So what does this all mean? We've 424 00:21:06.400 --> 00:21:08.640 journeyed from the psychology of a fake phone call in 425 00:21:08.680 --> 00:21:11.880 the lobby to the advanced mathematics of time, memory, trade 426 00:21:11.920 --> 00:21:15.039 offs and rainbow tables. What is the ultimate takeaway for 427 00:21:15.119 --> 00:21:16.720 you listening to this deep dive? 428 00:21:17.160 --> 00:21:21.319 The inescapable reality is that an information system is truly 429 00:21:21.559 --> 00:21:25.400 only as strong as its weakest link. You can allocate 430 00:21:25.440 --> 00:21:28.640 your entire IT budget to building that crunchy outside the 431 00:21:28.680 --> 00:21:33.240 next generation firewalls, the biometric scanners, the intrusion detection, but 432 00:21:33.319 --> 00:21:36.519 the weakest link is almost always a human being. It 433 00:21:36.599 --> 00:21:39.799 is the polite employee holding the physical door open for 434 00:21:39.839 --> 00:21:43.599 a stranger with coffee. It is the exhausted manager picking 435 00:21:43.599 --> 00:21:46.960 a weak, unsalted password because it is easier to remember. 436 00:21:47.400 --> 00:21:51.119 It is the executive throwing an unshredded sensitive financial document 437 00:21:51.200 --> 00:21:53.079 into the blue recycle bin under their desk. 438 00:21:53.359 --> 00:21:56.599 The ultimate takeaway here is vigilance. Whether you are a 439 00:21:56.720 --> 00:22:00.279 chief information security officer designing a corporate policy for ten 440 00:22:00.319 --> 00:22:03.759 thousand remote employees, or you are just an individual trying 441 00:22:03.799 --> 00:22:06.200 to protect your personal laptop while sitting on public Wi 442 00:22:06.200 --> 00:22:08.920 Fi at a coffee shop. You must remember that technology 443 00:22:08.920 --> 00:22:10.880 alone cannot save you from human nature. 444 00:22:10.920 --> 00:22:11.519 It really can. 445 00:22:11.920 --> 00:22:15.319 We are biologically wired to be helpful, and attackers are 446 00:22:15.319 --> 00:22:17.799 methodically trained to exploit that help. 447 00:22:17.640 --> 00:22:20.680 Which leaves us with a truly provocative question about the 448 00:22:20.680 --> 00:22:21.680 future of security. 449 00:22:21.799 --> 00:22:22.319 Let's here. 450 00:22:22.480 --> 00:22:26.119 If the core of social engineering and physical infiltration relies 451 00:22:26.279 --> 00:22:30.559 entirely on exploiting human empathy, trust, and our fundamental desire 452 00:22:30.599 --> 00:22:33.640 to be polite, right, No, our desire to be polite? 453 00:22:34.160 --> 00:22:36.279 Where does this inevitably lead us? 454 00:22:36.559 --> 00:22:37.480 That's a great question. 455 00:22:37.759 --> 00:22:41.000 Are we moving toward a zero trust future where the 456 00:22:41.079 --> 00:22:45.039 human element is systematically removed from the security equation entirely? 457 00:22:45.680 --> 00:22:50.279 Imagine a world of AI receptionists, automated robotic lobby guards, 458 00:22:50.480 --> 00:22:54.640 and biometric mantraps that cannot be charmed, manipulated, or socially engineered. 459 00:22:54.880 --> 00:22:57.400 Will the only way to truly secure an organization be 460 00:22:57.519 --> 00:23:00.000 to completely eliminate human interaction. 461 00:22:59.640 --> 00:23:01.880 At the p That is a chilling thought. I mean, 462 00:23:01.960 --> 00:23:04.440 how do you protect the bank volt without making everyone 463 00:23:04.480 --> 00:23:07.839 inside feel like an inmate in a hyper surveilled prison. Yep, 464 00:23:08.039 --> 00:23:10.279 Remember that bank manager in the brick holding the back 465 00:23:10.319 --> 00:23:12.720 door open. The goal of modern security isn't just to 466 00:23:12.720 --> 00:23:15.440 build a heavier, smarter door. The goal is to ensure 467 00:23:15.440 --> 00:23:18.519 that everyone inside the building understands exactly why that door 468 00:23:18.599 --> 00:23:21.200 needs to stay closed, no matter how nice the breeze 469 00:23:21.279 --> 00:23:24.799 is outside. Thanks for joining us on this deep dive. 470 00:23:24.960 --> 00:23:26.720 Stay curious, and stay secure.