In this part, you will learn about the typical mistakes that even financial institutions and law enforcement agencies make in terms of counterespionage.Okay, so let’s talk about financial ruin, let’s talk about espionage. I hate to hurt some people’s feelings and say: “It’s not just the Chinese.” In the 70s, the 80s, the 90s French were doing awesome with it. Actually, the French did great counterespionage thing with the CIA and stuff back in the 90s with the Boeing incident, you can google that one (CIA wish you wouldn’t). So let’s talk about some of the things you can do there. Once again, there’s many frowny faces, not good. But you know what – I’m an environmentalist, I am. Do you know how many poor senseless trees die every day due to those printouts that you leave beside the printer? But you know what – they will not die in vain when I visit. I’m taking all of them. I’m gonna liberate those trees. I am such an environmentalist, I will take the ones that are still printing out, just to make sure you don’t forget them. Those trees will not die in vain when I’m there. This is so sad, this is actually a Dilbert comic strip because they still use shred bins. You’re telling me all your confidential data, all the stuff that needs to be shredded – let’s put it in a big blue bucket. This is done in D.C., and this is done in financial institutions, this is done in DoD contractors’ offices. My favorite is the DoD contractor’s office, it’s a secured area, the actual office of the executives that is actually secured so that pretty much no one can go in because of all the top secret data. So what do they do? At night, they put the blue bucket outside their door. Yes, that’s awesome! I’m sorry, it’s awesome for the bad guys. When I get to the point where I can just stick malware into your hard drive, it’s just gonna be a fun night for me, not for you. When you see that USB drive in your exchange server, it’s not gonna end well for you. I know where the USB drive has been – you don’t want it in your exchange server. You may think what kind of damage someone can do going after the exchange server (ask HBGary). Well, how about your accounting server? Me and the 25 other employees are not going to get any paychecks. I can also do wire sniff on your traffic. Sniffing passwords is hard, you got to configure a lot of stuff. Like I said, I’m not that technical, I’m not that bright. Why don’t I just get them off your monitor? (see image to the left) I love this one, I actually tried “<leave blank>” first, I gave them the benefit of the doubt. This one is my favorite of all time (image to the right). You know why? Because this was at a research lab; you know, I was supposed to be dealing with rocket scientists. The password – first of all, they shouldn’t have written it down at all. But the password that’s scratched out was actually an alphanumeric special character password. It was very complex, and it was hard. So they scratched it out and put it to “welcome”. And it was all lower case, I tried the capital first because, you know, they are rocket scientists… The one thing worse than seeing me in Pepsi pajamas is actually seeing me in a suit, because if I’m in a suit, I am out to screw you over terribly. Because I’m wearing my vest of doom. You can learn more about the vest of doom and all these little toys in my talk that I did last year. But now I want you to know I’ve got a vest of doom 2.0. Let’s see some of those things. I’ve got some video recorder USB pens – now that I’m keeping one in my pocket, I’m going to actually be going in and leaving them in your little cup holders that you leave, so I can record you logging in with your passwords, carrying on your conversations, things like that. So, that’s awesome! If I’m the tech guy, I got my nice little handy 8 GB USB flashlight (video recorder). When I walk into your facility, I’m a walking talking Google street car – I’m capturing everything I can. Now, I got another device in my 2.0 vest. This was something that was given to me by a 3-letter agency in D.C. The only reason why he gave me this device (which cost billions of dollars of research – he said) was that I was to never talk about it in public. So this device he gave me is actually a USB keystroke logger. It’s undetected by any antivirus, you can plug it in, it’s very streamlined. It is very hard to spot when you actually plug it into a device, and it records all the keystrokes. You’re right, I’m lying – I got it off of ThinkGeek. I’d like you to tell the QSAs and your executives about that. Let’s put this in a different way so that they understand it a little bit better – the risk matrix. “Available at a geek and gadget website” – well, we discover it’s a “Near Certainty”. Being able to log the CEO’s keystrokes – yeah, I’m gonna go with “Catastrophic” on that one. Now, you see all these other devices, you see all these pens and stuff – to acquire those and be able to get access to that kind of technology, you’ve got to be a “select” group of people. I think everybody is familiar with that kind of access; I think everybody here has that access, it’s called “frequent flyers”. I mean, you talk about hackers getting this kind of data? Okay, I’m an accountant, I really hate my boss, I really hate my job, I wanna go somewhere, I wanna steal a whole bunch of stuff from the Company first. How could I do that? Oh, I’m on this flight; oh, look, SkyMall; oh, I can put keylogger and spyware on my boss’ computer; oh, I can have a USB recorder and stuff, so I can take video of my Company’ secrets; and yes, I can actually have a voice recorder so I can record our top secret confidential conference meetings.
Read previous: Steal Everything, Kill Everyone, Cause Total Financial Ruin 4: Workplace Violence Countermeasures
Read next: Steal Everything, Kill Everyone, Cause Total Financial Ruin 6: Enforcing Security Awareness