44 comments

[ 4.6 ms ] story [ 93.0 ms ] thread
Where does it say he was in the wrong bank?
> JASON: I accidentally robbed the wrong bank the last time I was in Beirut.

Right there in the article/podcast.

I found this story yesterday and was quite confused as well, because in the YouTube video of him telling the story that they link, he just leaves that part out. But in the audio at the top of the page (and the transcript), he explains it.
It doesn't. He walked up to the door of the wrong bank and his driver alerted him.
That’s a different incident. There’s another, much more serious wrong-bank story near the end of the interview.
My wife just shared this podcast with me. That’s in the first two-thirds - the last third is where he breaks in to the wrong bank.
It is covered if you hear the full podcast episode. Coincidentally, I heard the episode only last week and was one of my favourite episodes from this podcast so far.
His second anecdote; after drinking too much soda pop, being distracted by looking for a bathroom.
Blank page again.
Here too. Annoying how websites do not work at all if you have some basic tracking blocker enabled.
Disable CSS or use reader mode.
I wonder what kind of people downvote this... :D
Actually had similar experience pen-testing a large financial institution. Was plotted up in their training room and was circa late 90's and I had a boot floppy distro (TRINUX iirc) which had the tools I wanted (tcpdump, nmap...). So quickly turned a training PC into my terminal of choice and mapping the network out and came across an AS/400. Quickly dug out my notes upon such beasts and turned out that the shipping default accounts had not been disabled and was quickly in. Having a look about it turned out very quickly to be a financial system that had nothing to do with the client. Actually seemed to be a case of the system was sharing data and a college of mine soon pointed out that this stunk at not only a security level but more importantly the financial services regulation. We did the report and that whole aspect got swept under the carpet and I was never asked back to that clients site ever again.

That's not the worst story of security within a financial service company/bank I've experienced but sure did start to open my eye's how interlocked some companies are with others who you would not expect for numerous reasons.

I will say that if you do find yourself in places you wasn't expecting, you do notice and notice pretty quickly and raise questions, also you start to become more mindful - "how easy would it be to social engineer penetration testers to break into a bank for you", it's a thought and more so as they would just need to engineer management to task you such a job. Not aware of that happening, but can easily see how that could be orchestrated.

>they would just need to engineer management to task you such a job.

I like the idea of social engineering management into hiring pen testers... How large a shadow organization could conceivably remain undetected on the payrolls of a large corporation, I wonder.

There's a short story in there somewhere, at the very least.

>and I was never asked back to that clients site ever again.

Award for excellence in pentesting.

Some companies need to be tested for legal reasons or because the parent company requires it. It's often easy to tell when you're dealing with one of those from the details being incomplete or coming in late (like get the API docs 7 days into the 5-day test - so we basically didn't test, but we still have to bill the reserved time), but if it's unclear, being a little too happy with an empty report and inviting us to test another thing is another tell-tale.

Well, the report is never empty but in general it's not as if you always hit jackpot, sometimes there's a very small attack surface in a black box test (or if it's a black box because your account credentials are still not arranged...), sometimes there's a mostly default install of something and that's secure by default because a lot of people already looked at the project, or sometimes they just did a good job.

Not being invited back can be more than one thing. Embarrassing the company is one of the most effective way of losing clients, though. It also doesn't help get issues fixed because the manager will prioritize saving face over anything else, including protecting assets.

If you enable them to protect assets without looking bad using good communication... that manager will want you for every test.

>We did the report and that whole aspect got swept under the carpet and I was never asked back to that clients site ever again.

You should have pushed for the opposite, doing the ocassional pentest to the client for life, in exchange for being mum about it.

Here’s a contra view.

If you had a back bone as a consultant your period 2 report would start with “unresolved issues from last time”, so you would very quickly have to resign due to your ethical baseline not being met. Therefore same outcome.

>have to resign due to your ethical baseline not being met

Huh? Your job is to point to issues, not to ensure they're resolved.

The wrong bank story is at 18:20 onwards in the podcast.

In the transcript, search for "A few years pass. Jason gets another call for another security awareness engagement" and read from there.

The rest of the story is pretty amazing too.
The full text transcript is here: https://darknetdiaries.com/transcript/6/
Thank you. I love this bit at the end of a successful demonstration:

> [The bank manager] raised his hand during this whole all-hands meeting and he says what about the free computers? Do we still get the new computers? I'm like no, I was lying to you. I'm a horrible person.

And this one after getting caught at the wrong bank:

> He calls the guy who hired us to rob the bank. They start talking and halfway through the conversation he literally says do we have to split the cost for this? At that point I realized it was probably going to be okay.

This is like gitlab devs deleting the prod DB thinking it's dev DB
Reminds me of the dev who deleted the production DB and all its backups thinking it was dev just to save space and lower the monthly spending.
Memorys, in my young year as an electrician, our boss told us to go to a bank. We would have to install a whole new telephone installation. So we went to the bank, the lady on the front desk said, "yes I heard something about new telephones" and opened the door for us. About one hour later, we already started to work, the boss from the bank came and told us what we are doing, because they did not decide until know, what company the work would do .. so we left and guess what .. our company did not got the contract for the work :-)
It's quite possible in pentesting to end up hitting the wrong target unless you're careful.

Not as extreme as this case but, I've had cases where customers gave me the wrong IP address range for external work in the past, or where the customer had been told they had a dedicated server, when their web hosting company had actually put them on a shared host.

Yep, this. Or the team that arranges the contract (what to test, when to test it) typos the IPs (or misses a digit when copying or so).

To avoid that, in the larger orga I worked for we had a checklist for the morning-of: check signature on indemnification agreement, run a WHOIS on the provided IPs and domains. Fewer and fewer people have their own v4 ranges, but the companies that pay our rates are typically large enough to still have it. If not, they had to tell us in advance whom we should expect it to be hosted with.

The team that has initial contact also checks, but we were supposed to double check anyway and it was a good thing, too. Getting caught hacking another company is not a situation you want or be in as a security company.

(comment deleted)
Pen-testing BOGO special: Buy One; Get One FREE!
The narrating is really annoying. Just let the guy talk, goddamn.
I loved this one especially because of the foreshadowing where he almost targets the wrong bank the first day.

Tons of great episodes on this podcast. It's really a treasure.

I listen to a lot of podcasts, but this may be the one I get most excited about when a new episode comes out.
Same here. When my finances stabilise I’m going to contribute to his Patreon account.
This is another great Darknet Diaries episode: https://darknetdiaries.com/episode/59/ The Courthouse.

You may have seen it in the news just over a year ago. Basically, what happens when a physical pentest goes wrong....

Great episode. What was wrong with that Sheriff?

Fantastic response from the company those guys work for though.

Much less impressive when you know the guy works for the cousin of the bank owner, which is part of a mafioso family. This was staged as a PR move for the security firm of the cousin of the bankowner.
Do you have a source for this? I'm genuinely curious
In this video https://youtu.be/UpX70KxGiVo The running theme seems to be: omg its so easy to just walk in these places and rob them, the employees just let me in.

That seems an unremarkable assertion to me.

Do these corporations want all their employees to act as their private security force and secret police? I think most employees (rightly) dont give a shit if the company suffers. When it does well they dont get rewarded. They just gotta work somewhere so they can pay the rent and get food.

Your employer has the power to make you do all sorts of things. But they cant make you care.

In my experience, employers regularly exercise their power to make their employees not care. At best this is driven by a desire to limit the organization's liability, for example disciplining non-janitorial employees from picking up litter because they are afraid of lawsuits if someone throws out their back at work.
Being from Beirut, this was fun to listen to. But this type of pen-testing could probably take place at almost any bank anywhere in the world.

Generally Lebanon is quite free of "run-of-the-mill" crimes (thefts, rapes, murders). Most crimes happen in the political sphere: assassinations and mainly massive graft and corruption from the politicians who have pillaged the country for decades.