In How I Rob Banks: And Other Such Places, renowned ethical hacker and social engineer FC delivers a gripping and often hilarious discussion of his work: testing the limits of physical bank security by trying to “steal” money, data, and anything else he can get his hands on. In the book, he explores the secretive world of physical assessments as he breaks into banks and secure government locations to identify security flaws and loopholes.
FC explains how banks and other secure facilities operate, both digitally and physically, and shows the tools and techniques he uses to gain access to some of the world’s most locked-down buildings.
A can’t-miss account of real-life security exploits perfect for infosec pros, including red and blue teamers, pentesters, CIOs, CISSPs, and social engineers, How I Rob Banks also belongs in the hands of anyone who loves a great Ocean’s 11-style story pulled straight from the real world.
This session is a fun discussion with the “FC fan club”, here are a few useful links:
Beginnings
FC introduces himself, for 32 years he’s worked in cyber security. His work on physical pentesting grabs the headlines, but his scope is much broader. His book is available on Amazon. Our discussion is wide-ranging, covering what are the top under-appreciated threats, and how to get into the industry.
Bohdan opens the questioning with, what 30+ years ago got FC intro cyber security? A theme common to many in the cyber security industry today is their childhood. FC’s interest in computing, from the earliest TV gaming systems, through Commodore 64 and Amiga PC as a kid led him to the internet.
FC states, even though it was a wild-wild west era on the internet / web, he did not break any laws. He was very fortunate that a whole industry grew around his passion of computing.
We then start reminiscing about on our first computing devices and experiences. FC referenced the Amstrad CPC 464, picture below. Bohdan shared his experiences with early ISPs, registering for service, and then cancelling the payment method. Such tricks could provide 6 months to one year of free service with an ISP.
From the wild west to today
Bohdan shares how he was approached by criminals in CIS (Commonwealth of Independent States) countries as they recruited members with free stuff. As FC said, it was the wild-wild west. As soon as credit cards could be processed over the internet, fraud took off.
FC repeated a finding often said across cyber security, there are few new frauds, just the scale has changed. His focus was bringing in the hacking knowledge from the US to the UK. When I was at York University, (’86-’90) with its connection to JANET, we had lots of fun doing just that.
FC mentions he was the head of offensive cyber-security at Raytheon. Performing nation state pentesting, so worked with the security services of the Five Eyes alliance formed during WWII, and saw there the activities of criminal groups.
Under-appreciated attack vectors
Jack then asked an insightful question on the most under-appreciated attack vector today. Insider threat is rare, however, incredibly dangerous. There are more and more nation state attacks from insiders, either sleeper cells, or compromised individuals. FC shared a story on how code signoff had been compromised with a large contract vendor.
There were 3 nation state actors in separate teams, signing off on each other’s work. There are sleeper cells today in many contractors, many within ‘approved’ countries with the highest clearance given their work over the years. It’s not just sleeper cells, employees can also be compromised, and not yet activated.
Jack brought up the issue of mental health within the defense industry, and the stigma that can cause. Along with money, resentment, and ideology can compromise security. Aaron and FC make the point, they’ve been trying to solve the cyber security problem for decades, and the problems are still growing.
Bohdan asks FC what are the most popular questions he is asked, apart from getting a job in his company, its the role of AI in cyber security and more generally in employment. This is definitely the year of AI hype, we’ve covered how AI is used for creating phishing emails in the TADSummit online Conference.
Protecting yourself and getting into the industry
FC is not seeing an explosion of AI-enhanced hacking, simply, criminals do not need to be that smart, yet. So do not believe the AI hype, yet.
Jack highlighted that some companies simply do not care about cyber security. He highlighted his experience while working on a bug bounty for a racing car brand. After 4 months the brand threaten legal action as Jack was ‘touching’ the public domain parts of their app. He submitted on the brand’s cybersecurity vulnerabilities (CVE), and claimed the bounty through MITRE. Without the brand replying to him or MITRE, he received the bounty. Jack highlighted in the automotive and telco industries, cyber security is a cost center. So do not receive the necessary attention.
We then moved onto the importance of paperwork for pentesting / red-teaming. Gaps in those contracts can result in your arrest. You do not have the freedom of a criminal, and FC gave several examples when potential losses and risks are not covered by the customer.
Bohdan brought up the SIM-swap as a service, on any phone number, for $1k. This brought up the recommendation of using multiple, separate phones / numbers for communication services and security services. I use my regular carrier number for communications and Google Voice for security services.
FC moved onto organized crime groups paying people to install equipment in their home, to use their consumer internet. So their regular activities mask the tiny bit of data used for nefarious actions. We also reviewed similar co-oped individuals, e.g. people driving around a city with a SIM box to avoid detection. Though as we discussed with Wadaro, there are ways to discover them. Which are generally performed by criminals, not nation states.
Jack highlighted in Australia, mobile hacking is the hot topic. He shared his own story about Club Penguin, and Wizard 101. Massively multiplayer online role-playing games (MMORPG) were kids discovered cheats and hacks. And this led Jack to be visited by the Australian police and security services in the middle of the night.
Aaron asked the question, as he also received it, how do you get into physical pentesting cyber security. First off, FC stated, learn the law, state-wide in the US, generally country based elsewhere. Can you carry a lock pick, is that allowed? These details matter. Morals is critical, you can not misrepresent yourself as emergency services. Start as a pentester then move onto physical, it may not be for you.
Bohdan finished on, when is FC next presenting? He has an upcoming US tour with abnormal. There may be a new book, given the success of his first. This was a fun and insightful session.
One thought on “Interview with Freakyclown (Ethical Hacker). How I Rob Banks: And Other Such Places.”