Podcasts
SpyCast
Ep 560
SpyCast 10.11.22
Ep 560 | 10.11.22

“Sure, I Can Hack Your Organization” – with Eric Escobar (Part 2 of 2)

Show Notes
Transcript

Andrew Hammond: Hi, and welcome to "SpyCast." I'm your host, Dr. Andrew Hammond, historian and curator here at the International Spy Museum in Washington, D.C. "SpyCast's" sole purpose is to educate our listeners about the past, present and future of intelligence and espionage. Every week, through engaging conversations, we explore some aspect of a vast ecosystem that looms beneath the surface of everyday life. We talk to spies, operators, mole hunters, defectors, analysts and authors to explore the stories and secrets, tradecraft and technology of the secret world. We are "SpyCast." Now sit back, relax and enjoy the show.

Andrew Hammond: This week's guest professional hacker, Eric Escobar. For the first part, listen to last week's episode. In this week's episode, Part 2, we discuss hacking back. For example, computers inside Iran's Atomic Laboratories were made to blast the AC/DC song Thunderstruck, hacking culture and the Hacker Fest in the desert that is DEF CON. The tools of the hacker trade, such as the top of the line graphics card, and how hacker talent is spread across the public in private spheres. If you're a fan of the podcast, I would greatly appreciate it if you could leave as a kind review on Apple Podcasts. Make sure to check out this week's show notes for resources to learn more. You'll also find a full transcript there. Thanks for listening and enjoy this week's show.

Andrew Hammond: You're, like, this affable guy living in central California who, you know, obviously enjoys what he does. Like, how much do you get a sense of butting up against the darkness, so to speak? You know, because there's malicious people out there that want to harm individuals physically, materially, emotionally and so forth. I mean, for someone like you, you're relatively inoculated from that. It's just like this is the accepted game. 

Andrew Hammond: There's people like me that do their job and we're left alone because, you know, we have a particular role within the game - or, you know, how much are the people that are doing the Lord's work like you - are there people out there trying to stop you or trying to mess with the - we don't need to use a specific example, but people that are trying to, like, mess with you or get you to stop what you're doing or to dissuade you or disincentivize you, or are you kind of seen as a civilian and you're part of the game and therefore you're out of bounds or something? I'm trying to formulate a question, there. Yeah, the person like you, who's done this legally for a company, trying to help other companies protect themselves versus the people out there that want to commit genuine harm and rip people off and sometimes hurt people. 

Eric Escobar: Yeah. So, I mean, we are targets, just like you are a target, just like pretty much anyone is a target. You know, there might be a little bit more of a target painted on our back by the sheer fact of this is what we do, you know, and maybe we have some special tooling that a threat actor potentially wants to get at or access. But really, at the end of the day, like, there is no, like, honor among thieves, right? Like, I don't get a pass because they're like, oh, we can't attack Eric's machine or Eric's network because it's Eric. You know, typically, when I say that hackers are lazy and opportunistic, if somebody - if you're not a direct target yourself, you are just a line in a spreadsheet, you know, that they're trying to, you know - a password spray attack, or they're trying - typically threat, you know, attackers, threat actors, aren't going to target you or somebody like me specifically unless they have a really good reason or there's going to be huge payout at the end of it, right? If you knew that I was sitting on a hundred bitcoin, you know, then am I going to be more of a target? Absolutely. But really, like, for me, being in the industry, you know, I'm definitely not well enough known. And, like, OK, cool. You're going to break into my office and steal a bunch of, you know, USB cables. My wife would thank you for that. You know, good luck. 

Andrew Hammond: (Laughter). 

Eric Escobar: And the other thing, too, about that, too, is, yeah, the threat actors, the attackers, they need a payoff. And, really, attacking me, that doesn't get them a ton of, you know, juice. That doesn't - you know, maybe they get some access to, like, the current report that I'm working on. But past that, you know, if they were able to try and compromise me, then they should just go compromise the company that I'm trying to compromise. So I'm never really that worried about it. I do sometimes feel bad, you know - if I'm, like, say, doing a test and there's a system administrator that's clearly overworked and, - you know, and doesn't have enough hours in the day to do all the things to try and keep somebody like me out, those are the clients that I'm like, look, when I'm breaking into you, don't think of me as, like, an actual adversary. Think of me as somebody who's going to write the report that's saying all the things that you've said this entire time. 

Eric Escobar: Like, hey, Jim from IT - look, he wants to implement MFA, and I - you know, I bypass you know - if that MFA, multi-factor authentication, had been in place, that would have stopped me. He wants complicated passwords. You should let him roll out complicated passwords because I was able to break in using weak passwords. And so those are the ones where it's like, look, I'm trying - you know, I can sleep easy at night 'cause I know, hey, I'm trying to make the world a better place. 

Eric Escobar: All the companies that I break into are often all the places that I myself use. You know, I've broken into my mortgage company before, which was kind of funny. I said like, hey, if I break in, can I pay off my mortgage? And, you know, everybody, like, nervously chuckles, and they're like, no. You know, but hopefully that answers your question. But, yeah, I don't think I'm any more of a target. And I think when - you know, when an actual, you know, threat or adversary is going after you, it has to - there has to be a big payoff because typically nobody's going to waste their time on somebody just like me. 

Andrew Hammond: And is there - you know, like, in the world of intelligence, where you have people that are working for one side or people that are working for another side, and then you have people in the middle that are double agents or that are agents of an adversary and so forth. So the question I have is, has ever been the case in the professional hacker community? Like, do you - has there ever been someone that's - I'm a professional hacker. I'm on the up and up. I work for a company that's trying to protect other companies. But actually, I'm a secret scumbag who's selling information or doing stuff for the other side or vice versa. Or is there somebody that's pretending to be, you know, a nefarious hacker, but actually they've been working for the good guys the whole time. Yeah, help us understand that gray area in between. 

Eric Escobar: Yeah. So I don't know anybody personally - and obviously I don't know anybody personally that's done that. But there are - I am sure that of the world's most elite hackers, of the, you know, adversarial APT crews that are out there - the advanced persistent threats - for all of the, you know, crazy bad criminals in those groups, I would say probably 90% of them hold standard respectable jobs in, you know, either some intelligence capacity, in some large tech company capacity or in some technical capacity because why not? If you're good at that, you know, it could just be, hey, this is what I'm going to do at night. Some of them are, you know, hey, we work for this intelligence agency, and that's it. But yeah, I mean, there are several cases, you know, if you were to just go, like, look this up online where, you know, users are - basically said, hey, I'm just going to come in and plug in this thumb drive. 

Eric Escobar: There's a very famous thing that happened recently. There's a company called Ubiquiti Networks that make a ton of, you know, networking equipment out there. And they had a system administrator that basically got a - went home, got on the VPN, logged in with a set of credentials that he knew about, that he had compromised in his role as a system administrator, and then was able to hold hostage his company. And so from that perspective, he was the bad, nefarious threat actor, but he was the system administrator of the company that he was a threat actor for. And so he tried to ransom them for - I think it was like $5 million or some amount of, like, bitcoin. And it was just - you know, obviously, he didn't do a very good job at covering his tracks because, you know, they caught him. But that's a great example of the fact that, like, he was trying to compromise his own company that he was a system administrator for. And it doesn't get as much, you know, double agent-y (ph) as that. I am acting as a threat actor. And it was even more interesting, and I shouldn't say funny 'cause I'm sure Ubiquiti lost a lot of money and got a lot of egg on their face. But one interesting aspect is he was brought in to do the incident response of the threat actor that he was. And so that's - it's just, like, one of those real-world examples of, like, yup, that was a double agent that was working to catch the double agent that he was the double agent of. So yeah. And I'm sure it happens. 

Andrew Hammond: (Laughter). 

Eric Escobar: You know, obviously, I don't have a ton of knowledge about what happens in the inner workings of intelligence agencies, but that would not surprise me in the slightest to know that that same thing happens at that level as well. 

Andrew Hammond: And see; for the - just thinking about this in terms of the world of intelligence as well, like, for you breaking into a company's network - so that's one part of it that's offense for defense. Is there ever a case where - not you or someone like you. But, you know, would it not make sense to, rather than just help you protect against the next attack, what if I can get into their network, the bad guys' network, and figure out what they're doing so that we've nullified the attack before it's even begun? Or am I just overthinking this? Or is it completely different in the world of cyber from espionage? 

Eric Escobar: You are not overthinking it at all. So that's - I think the typical term for that is called hacking back, right? Like, hey, if I hack you first - like, offensive hacking into that. And yeah, intelligence agencies - you know, not just ours, but all of them - all try and do that to some degree of, hey, if I can figure out what they're doing and I know what they're thinking and I know what their tooling looks like, you know, what can I do from there? You know, what is there? The hard part when it comes to the cyber domain is - that's easy when you're like - it's easy in, like, terrestrial, like, normal warfare where you're like, hey, I saw this soldier go into this barracks, so I'm going to go follow him and try and get intelligence from there. But in the cyber domain, you could be attacking a machine that doesn't even know that it's compromised. 

Eric Escobar: So, for example, what might happen is if - say you're a nation-state, and you want to try and, you know, kind of cover your tracks. You might compromise, say, a small flag company and then use the server that you compromised from there to then perform all of your attacks against. You know, and so you can say, hey, I'm a flag company that's now attacking, you know, this other company. And so the company looks at it and says, hey, we're being attacked by, you know, this flag company. And so if you were to take the analogy of hacking back, well, now you're - that company - you'd potentially be hacking into somebody that doesn't even know that they're already compromised. 

Eric Escobar: So there's a lot of weird attribution at play that you can say, you know, that if you're not 100% sure, then - especially if you're just a standard person like me, hacking any machine that you don't have explicit permission to hack is a felony. And so if you're not explicitly sure that, you know, that that machine is doing something nefarious, you shouldn't do it. And if you're in the military intelligence agency, you play by a different set of rules. But even then, you might be hacking into, say, a company that has been compromised, and maybe now the exploit that you used to get into that network, now that foreign intelligence company is going to say, oh, this is the tool that they used to do that. This is how they did it. So let's copy that now. 

Eric Escobar: So it's - you know, the whole, like, Soviet era, Cold War era of, you know, spy versus spy - that game is so much at play in cyberspace that, you know, it's - only now it's - you know, there's not, you know, cold, clandestine, you know, underneath-park-benches, you know, kind of thing when it comes to that level of cybersecurity. I mean, that still might be a thing. But when it comes to the cyber realm, it's even harder because, you know, you can travel around the world in a couple microseconds trying to access servers and do all this different stuff. 

Eric Escobar: So, yeah, hacking back is definitely a thing. There have been several well-documented cases where United States intelligence agencies have hacked back. You know, if you look at - I don't know if the United States has been actually - it was U.S. or Israel - some intelligence agency basically took over another intelligence agency or - hold on. I'm going to find you the exact story because it's really great. They played "Thunderstruck" across all of the computers. 

Andrew Hammond: AC/DC? Wow. Awesome. 

Eric Escobar: Yeah, and they played - so they... 

Andrew Hammond: Good choice (laughter). 

Eric Escobar: Yeah. So hold on. Let me find it for you - exactly for you 'cause the story is just too good. It's like hacker gold. They took over the Iranian scientists' computer network, and on all of their machines, they played "Thunderstruck" as their computers were all completely locked out. 

Andrew Hammond: (Laughter) Wow. Great. 

Eric Escobar: Which is - I mean, like, that's, like, hacker movie fodder, right? Like, that is, like, legitimate... 

Andrew Hammond: It really is. 

Eric Escobar: ...Like, real world, like - but yeah, so hacking back is definitely a thing. The legality of it is questionable at best. And the ethics of it, if you're an intelligence agency that has permission to do it, are - you know, you really have to know, and you have to really be able to feel confident that you are truly hacking back because that can backfire in many different ways. Yeah. So that could be a whole subject of an entire podcast of... 

Andrew Hammond: (Laughter) Let's do it. 

Eric Escobar: ...All the clandestine operations and the ethics behind it. And should you do it, and what are the ramifications if you do it and you get it wrong? There's tons of wild stuff that can happen. 

Andrew Hammond: And for that hacking back, that brings me on to the next question I was going to ask. It seems to me that, in former eras, the expertise for a lot of these types of information operations or the protection of information or the attacking of information, a lot of the expertise was with governments. So if you think about the - again, just coming from the National Cryptologic Museum today. Back in World War II, the leading cryptographers were not working for, you know, Kraft Foods or something like that. You know, all the leading cryptographers worked for the government. But it seems to me that with - in the modern era, it doesn't necessarily follow that the best hackers or the leading hackers all work for the government. And in fact, some people would argue that the opposite is the case because of the financial incentives and so forth. So I just wondered if you could help us understand that a little bit more because I know that the intelligence community are increasingly working with the private sector, and I'm assuming that part of that is because they realize that the main currents of expertise don't necessarily lie within those institutions in the way that they used to in previous eras, if that's - if that makes sense. 

Eric Escobar: Yeah, absolutely. I mean, it's one of those things that - I would be shocked if, you know, all the members on our team haven't, at one point or another, been asked to work for a three-letter agency. And there's a lot of reasons that a lot of people wouldn't work for an intelligence agency or a government. And part of them - you know, who knows? It might come down to ethics, might come to, like, their thoughts and views on things. But realistically, like, I am talking to you from my office right now, and it is 10 feet away from, you know, my kitchen. And so I like that aspect of it. And so when you look - when you say, like, oh, the world's best hackers, you know, they work for private industry - I'd say it's probably a mix. I don't think that, you know, Google has - you know, Google, Amazon, Facebook - you know, any of these large tech companies, that they have any - like, they're not way ahead as far as, you know, their technical prowess. 

Eric Escobar: But yeah, it's definitely one of those things that, if you want to have a - potentially more - you know, more capital coming in, if you want to make more money, if you want to make a name for yourself, you know, there's a lot to be said for going and working for a large tech company because you can actually talk about what you do because if you work for the NSA, CIA - pick your three-letter agency, and you do something super, super cool, you'll never be able to tell anybody about it, right? And you might go to work for somewhere, and they'll say, like, hey, what's this blank spot in your resume? And typically, you know, there's a pretty big back-and-forth when it comes to private - you know, private sector talking to the governmental sector. And you see that in all walks of military and - you know, that different life, you know, anywhere from - look at Boeing and Raytheon, you know, contributing, you know, information technology and tools to the governmental sector, right? Like, they're the only buyer source of that. 

Eric Escobar: And I'd say, yeah, it's definitely one of those things that the world's best cryptographers don't all work for the government. The world's best hackers don't all work for the government. There are some exceptional hackers that work for the government. But I think it's pretty well spread back and forth between the private sector and the public sector for a variety of reasons. And I think everybody has their own reasons for where they end up. But, yes, you know, it could just be as simple as, like, yeah, I don't want to have to go move to Virginia, you know, to be close to the Pentagon, right? I don't want to have to live in Alexandria to live close to the Pentagon. I'd rather live in Cowtown, Fresno, Calif., you know, and hang out with my family here. 

Andrew Hammond: (Laughter). 

Eric Escobar: So there's a lot of different reasons. But yeah, it is definitely the case that it is no longer where all the best work for the government - it's definitely spread across. 

Andrew Hammond: Yeah. Sorry, I wasn't trying to disparage the people that work for the government. I was more just trying to say that it seems to me that it's more distributed now rather than... 

Eric Escobar: Yes, it is. No, I know you're not. I know you're not... 

Andrew Hammond: ...Concentrated in one place. But yeah. 

Eric Escobar: But no, you're absolutely right. It is not concentrated. And honestly, I think that's really good that it's not concentrated. I really like the thought and ability to - that anybody in my position could potentially go work in the private sector. We could go work in the public sector and that there's even, you know, back-and-forth and cross-pollination between those two different sectors to be able to, you know, potentially piggyback back and forth. 

Andrew Hammond: Tell us a little bit more about DEF CON, Eric - so DEF CON 23, 24 and 25, you're the wireless capture the flag - on the wireless capture-the-flag-winning team, snagging a Black Badge along the way. Break that down for some of our listeners that aren't involved in this world. So start off with DEF CON. So DEF CON's a hacking conference that takes place every year in Las Vegas. Is that right? 

Eric Escobar: Yeah. So DEF CON is the - I think it's the world's largest hacker conference 'cause I think this last year was something like 30,000 people, you know, go hang out at three casinos in Las Vegas for a weekend. And there's - you know, they have - DEF CON is broken out into what's called villages. So - and you can think of those areas of specialty. So there might be a lock-picking village where there's just a bunch of padlocks, a bunch of, like, you know, people trying to basically break into locks - all different sorts, right? I happen to have an expertise in wireless, so I'm part of the wireless village. And before that, the wireless village would put on a competition. There's - and there's tons and dozens and dozens of competitions at DEF CON. But this competition specifically tests, you know, hey, can you compromise wireless networks? Can you breach wireless networks? And all the contestants have permission to breach the specific networks here. 

Eric Escobar: But one of the specific challenges in this is called a fox hunt. And the way the fox hunt works is somebody has a phone in their pocket, somebody has maybe a mobile hotspot in their pocket, and they're walking around all of DEF CON. And so your goal is to find that person, which is labeled the fox. So I happen to be just very good at triangulating, trilaterating (ph) and finding those signals in a sea of, you know, 30,000 people. And so that - it's basically - using that, I was able to - you know, it wasn't just me, obviously. It was our entire team that helped win these competitions. And yeah, it was just - at first, it started off like, hey, this would be a really fun thing just to try and find these foxes at DEF CON. And then it was like, wow, we found all the foxes, and we got a lot of points. We could win this thing. Let's do some other of the challenges to get more points on the board. And so that's really how it started. 

Eric Escobar: Yeah, it just comes down to, you know, taking a problem, you know, and breaking it down, seeing what your limitations are and, you know, trying to get to that crown jewels. But yeah, it's - mostly it's just a ton of fun. And I love that aspect. It's also called hacker summer camp. So, you know, everybody flies in from their spot in the world, and you hang out for a couple of days, you know, hang out in the desert, hang out, you know, in Las Vegas. And it's always just fun to see everybody because I work remotely. Almost all my co-workers work completely remotely. So it's a good time for everybody to kind of congregate and meet up in person. 

Andrew Hammond: And what's a black badge? 

Eric Escobar: So sometimes competitions are - you know, if the competition is deemed rigorous enough by the DEF CON - what's called, like, DEF CON leadership, it will get assigned a black badge. So if you win an event that is a black badge event - and they're not always all black badge events. There's - it changes which ones are and which ones aren't. Basically, if you win that competition that year, you get what's called the black badge, and that basically gets you a free ticket into DEF CON every year. And it was kind of an accident, actually, how the DEF CON black badge became a thing in and of itself. It was meant to just give you a free ticket for the next year when it initially was created. And then, for whatever reason, it got messed up, and they're like, oh, no, you get free access for every year. 

Eric Escobar: So how it was initially created 30 years ago was a bit of a mistake, I believe. But that's essentially what it gets you now - is it gets you free access into DEF CON for life, essentially. And it's one of those things, too, that - the thing that I really dislike about the black badge is - there was a lot of people on my team, right? And we won those three years in a row. And I don't like the idea that, hey; there's one person that - they get it. I would prefer that it's like, hey; let's split this out and distribute it, right? But, yeah, be that as it may, honestly, it's just a lot of fun to be able to hang out with all of our friends and just be nerds together. 

Andrew Hammond: One of the things that I wanted to ask now was what - let's talk Hollywood just briefly before we come to the end of the interview. Is there a particular hacker movie that you're like - well, let's break it down into two parts. Which one do you think is most realistic? And which one do you - is there another one that you think, OK, this one's complete hogwash, but it's actually really good fun and a great way to spend a Sunday afternoon with a bag of pretzels and a couple of cool beers? 

Eric Escobar: Yeah. So I think probably on the more accurate end of the spectrum - and, like, to make - like, to preface everything I'm about to say for everybody that's about to yell at their phone or whatever they're listening on, if you were to look at what I do, you're like, Eric is a hacker. Look at all the things that I do. And it's like, do I have some, like, Hollywood-esque (ph) moments every now and then? Yeah, I do. But, like, what they don't see is the 40 hours' worth of work that it took to be able to hit enter and watch passwords scroll on my screen, right? And so hacker movies are all limited by that same thing. So to say that some of them are complete hogwash is absolutely true because some of them are. 

Eric Escobar: But to preface that, I think probably the best movie - and it's a cult classic - is "Hackers." "Hackers" is a great movie. It kind of embodies the hacker ethos of, like, you know, solving problems, doing it on the fly, you know, trying to work the problem, so to say. 

Eric Escobar: And then more recently, because "Hackers" is pretty old movie, the TV show "Mr. Robot" - they did a pretty good job about doing their research, about, you know, using the correct terminology. And, sure, is it Hollywood? Is it, you know, made for Hollywood? And is it made to tell a narrative and a story? Absolutely. Are they going to explain the intricacies of a buffer overflow exploit? No, they're not. But nobody would watch it if they did. But they use a lot of, you know, legitimate tools. You know, it's like, oh, hey. I have one of those, like, sitting right here in my bag of tricks, right? Like, I have that. I have this. Like, did they do that a lot faster? Did that work out really easily for him? Absolutely. But, yeah, I think that they do a pretty good job as far as keeping it accurate and to the point for Hollywood, so to say. 

Eric Escobar: And then I'm trying to think of the one that would be the like, OK, get out of here. You know what? I think probably "Die Hard 5" or "Die Hard 4," the one with Justin Long, where it's - like, the very technical "Die Hard" one. That one is like, OK, like, you're going to sneak into somebody's house and put, like, C-4 in their computer so that when they type in, you know, something - they hit enter, then their computer is going to explode. Like, yeah, a lot of that is very Hollywood and very, like, quick; hack that street camera. And it's like, quick; hack that street camera. Like, do we even know what network that's on? Do you have physical access to it? Is it wireless? Like, you just said hack it, and, like, it was done, you know? So, that one - I mean, it's fun. I like it. I like the Bruce Willis and Justin Long, like, back and forth of, like, you know, old, retired cop and, you know, like, young whiz kid kind of thing. Like, that's a fun aspect of it. But, yeah, I think the actual technical aspects of it are probably complete garbage. 

(LAUGHTER) 

Andrew Hammond: And you mentioned tools there. Help us understand some of the tools that we - that you would use or that you use for your job - so other than a computer. Like, people sometimes - like, here at the museum, when we bring up the term cyber, people think, well, it's just - it's so intangible. How do you even tell the story of cyber intelligence, cybersecurity? But then it also makes me think, like, radio waves are intangible. Telegraph messages are intangible, but we still use tools to tell those stories. So how - if we were doing an exhibition on you, what kind of tools would we use to tell that story or hackers in general? 

Eric Escobar: Yeah. So from a digital perspective, the tools are - I mean, it's kind of funny because you think of - like, an example of something that I use on a day-to-day basis, probably for the incorrect purposes that it was originally designed for, is a really hefty graphics card. Like, I'm talking the top-of-the-line graphics card that you can, you know, use to play all your video games on three screens at, you know, highest graphics enabled. And you're like, well, Eric, how does that help out a hacker? How does that, you know, help out a threat actor? Well, graphics cards do a lot of calculations in parallel, so they can work on similar problems in parallel and do them all very quickly, whereas typical computer processors, you know, they're more powerful than some graphics cards can be, but they can only do one after the other - you know, things one after the other. So they're just not fast and parallel. 

Eric Escobar: And so what we use that for is if I get something that's encrypted, a hashed user credential, which is commonly what we get in - you know, in any of our penetration tests or adversarial engagements, and what we need to do is, well, we need to somehow crack that, or we need to somehow brute-force and find out what the clear text version of that is. And so we use a graphics card to basically just perform trillions of calculations or trillions of guesses a second to see, can we basically brute-force that password? You know, something that would have made Alan Turing, you know, envious when he's trying to crack the Enigma code, right? And so essentially, we just say, you know - you could be as simple as, OK, I want to do A, A, A, A; A, A, A, B; A, A, A, C; A, A, A, D - and, you know, going through all the various combinations of potential passwords. And if I can do a trillion passwords a second, that's a lot of guesses. And then we apply more, you know, like, password lists, known passwords, you know, and then, say, add, like, 2022 for the year to the end of them to try and tease out what that potential could be. But that's something that is a tool of mine that I use on a daily basis that was not designed for those purposes. And that's, like, a digital tool, right? 

Eric Escobar: I have other tools. So I'm looking - for those listening on the phone right now, I have other devices that are interesting and, again, repurposed. So this device that I'm holding up to the screen - it looks probably about the size of a credit card, maybe five credit cards thick. And there's an RFID reader in here. And so if you're trying to access a badge or gym, a gate, you know, anything, they typically have these little key fobs. You touch, and, you know, it does some mechanism to say, hey, I'm allowed to be here. And so what this device does is it's still a reader, but it's also a cloner. So it reads it, and it saves that code. So now if I'm walking by you in an elevator or an escalator and I were to wand your back pocket, if I were to wand - if it was across your neck, I would then have a copy of your keycard, and I could then replay that and get into the building just as you were. We used this on an engagement a couple weeks ago, and one of my co-workers was able to use this same tool to clone the cleaning lady's badge. And so now we had access to the entire building because the cleaning staff needs access to the entire building. But we had cloned her badge. We didn't steal anything from her. We just made a copy of her - you know, of her RFID badge. And that was it. 

Eric Escobar: So that's, again - like, this is a very technical tool for a very specific purpose. But, you know, I use things that run the gamut of a graphics card that you can buy from Best Buy all the way to something that has to be purpose-built and purpose-made and sometimes even just made in-house to achieve that exact objective. But I have - I mean, you can see - for those of you listening to audio, my office is just littered in boxes that all have labels on them. In each of these boxes is a tool that I use to do my job, whether it's from a specialized USB cable or, you know, a special - so I'm a wireless nerd, so I have all my ham radio equipment, all my antenna tuners, all of that information, all, again, you know, to potentially try and compromise a client or a customer through any number of ways or techniques. 

Andrew Hammond: That's pretty incredible. I didn't realize that so much tools were involved. I think that I just thought that it was, like, a computer. But wow, that's really amazing. For - like, for that as well, this is - you know, feel free to decline this question. But I'm assuming that if you wanted to - you know my name. You could probably, like, get into my computer, rake around my files, and - yeah, like, let's not make it me. Could you meet one of your friends or meet someone and just be like, yeah, I could - I wouldn't do it because, you know, it wouldn't be ethical. But if I wanted to, theoretically, I could definitely do it. I'm assuming that for most people on the street, you could do that. If you can break into these companies and defense - you know, aspects of the Department of Defense, I'm assuming that, like, just your average private citizen would be small potatoes. 

Eric Escobar: You would think that. But the answer is, surprisingly, that to try and compromise you or, like, somebody off the street might oftentimes be way more difficult than a large company. And if you think about it, like, if you have a phone, well, you're holding on to that phone, right? So I need to maybe interact with it somehow. I have to get within proximity of you. You're moving. You know, your house is, you know, a standard, you know, house, so to say. And so your attack surface is not really that big. You know, you only have a couple devices to go after. And, you know, typically, phones are pretty, you know, secure depending on how old it is, whereas if you look at, like, a large company, if you look at, like, a Fortune 500 company, they might have 40,000 employees, and there's no way humanly possible that they could potentially guard against every known threat actor. Or, you know, if they have 40,000 employees, then at minimum, they have to have 40,000 computers. And so it's at scale that things get difficult to defend against. 

Eric Escobar: You know, if I asked you, hey, you know, you have a BB gun and you're going to try and defend your house, you're going to do a really good job of defending just your house 'cause you know everything about it. You know where everything is. You're familiar with it, whereas if I hand you, you know, a bazooka and say, OK, now go defend Giant Stadium in San Francisco - OK. I mean, you have big - you have the big guns, but, like, there's so much surface area, and there's so many places that somebody could hide that, typically, compromising a company is often a lot easier than compromising an individual. There - now, there are certain things that it's like, oh, yeah, you know, that would be fairly easy. But overall, you know, if you keep your computer up to date, you have long passwords, you have multifactor authentication, you know, which is where you get a text message or you have to push a code on your phone to log into something, you know, you use encryption on everything, you know, you have a PIN on your phone and a password on your computer, you are going to be a lot more difficult to compromise than probably the top Fortune 500 companies out there just because the nature of - you know, there's only so many devices you need physical access or, you know, relative access to it. 

Eric Escobar: And especially if you use a tool, if you use email services like Gmail or Outlook or, you know, any of the big ones out there, they're really good - they see attacks at scale. And so the amount of email that potentially gets filtered out, scams that get filtered out - like, trying to send a malicious email or a malicious phishing email is really hard if you're doing it through Gmail or through Office 365, through any of these suites of tools, which would probably be the main way that I would try and compromise - totally not Andrew. But, you know, it's one of those things that hacking... 

Andrew Hammond: (Laughter). 

Eric Escobar: An individual is often hard, whereas for a company, I only need to hack one of 40,000 computers, one of 40,000 employees, in order to get my way in the door. So yeah, that's a common question that I get. They're like, OK, well, hack my phone right now. And it's like, oh, my gosh, well, like, I'm not going to do this right now. I used to volunteer at a youth group, and all the kids would be like, can you get me, you know, more gold in Warcraft? Can you get me - you know, it's like, no. That's not how that works. 

(LAUGHTER) 

Andrew Hammond: I never thought about that. That's quite interesting - the attack surface. So your average private citizen is just presenting a much narrower front. So they're more difficult to attack. So does that reverse the old adage that if you try to defend everything, you defend nothing? Because if you're a Fortune 500 company, unless you defend everything, you're not defending anything. 

Eric Escobar: Yeah, I don't know because... 

Andrew Hammond: Does that make sense? 

Eric Escobar: It does make sense. And it's honestly just - it's a really hard problem. Like, it's a really hard problem because - you know, what I always like to tell our clients and my family is - they're like, well, I want my computer to be as secure - I want my network to be the most secure network. And it's like, OK, if you had me design your network and your only goal was to make it secure, unplug everything from power, turn it all completely off and unplug it from the - and they're like, well, that's not practical. I'm like, OK, so you don't want the most secure network; you want a network that is secure but also usable. And so in that regard, you know, I take sympathy from the aspect of like, yeah, it's really tough to keep everything updated. And if you're running a large company and you're a staff of five people and you have tens of thousands of computers to look after, there's just not enough hours in the day to do it. And that's typically why things happen. 

Eric Escobar: Or, you know, if, say, an employee left and their job duties weren't picked up by somebody else and that machine just went by the wayside because the person who was hired to, you know, keep it patched and keep it, you know, secure is no longer there at the company anymore and so it just gets left alone and nobody knows that it's there, it's really that problem of knowing what your assets are, knowing what devices are actually even in your network because if you - like, if I asked you right now, Andrew, name the number of devices currently connected to your Wi-Fi, it's not, like, 23, right? You don't know immediately. You have to think about it. Well, that's just you. That's just one person. Now, think you're a company, and you have - and, you know, you have to try and take into account all of these devices. And to make matters even worse, sometimes it's people logging in from their personal cellphone into their email, into their VPN, into their - whatever it might be, which is convenient from cost savings for the company. But as far as security, it's a nightmare because it's hundreds of different random devices that you have no control over that you have to provide support and security to. 

Eric Escobar: So it's - like, I do not envy that problem 'cause it's a tough nut to crack. And that's why people are employed with it, and there's large, large security teams out there because it's really hard to keep the - essentially, try and change the wheel on the bus while the bus is driving down the highway. It's - you know, you can't have any downtime, but everything needs to be secure. But nobody wants to reboot their computer for updates. And so it's a tough problem. 

Andrew Hammond: Wow. 

Eric Escobar: Hopefully that answered your question. But yeah, I have no envy for the people that do that job. They are doing the hard work. 

Andrew Hammond: It does. And have you - just a couple of final questions, Eric. Have you ever struggled - or have you ever failed or struggled to get into a network? 

Eric Escobar: Oh, yeah. There's been more than my fair share of networks that I'm like, wow, you guys just did a really good job against this. One of the ones that sticks out in my mind is - so when you're trying to - and you're trying to like, compromise a network, or you're trying to compromise a company, one of the things that you try and do is you try and just do password guesses. Like, hey, is Andrew's password summer2022? Maybe it is. Odds are that if you have, you know, a thousand users, one of them is going to have the password summer2022. So that's why I try it. And what they did - and I thought it was really clever - is they had a bunch of, like, famous movie stars in their, like, accounts. And so, like, there's Tom Cruise and John Travolta and all these, you know, famous actors. And when you try and log in as John Travolta or as Tom Cruise, it throws up all the red flags 'cause they're not real users. So nobody should be trying to log in as them. And so immediately I was caught. Immediately I was quarantined... 

Andrew Hammond: Wow, that's smart. 

Eric Escobar: ...And evicted from the network. And it's just little stuff like that. I'm like, that was clever. I always got to watch for that now. So now I have, like - I compare my list of users on their network to IMDB to see, you know, what famous actors or famous people are included in there. But again, just one of those things that, like, yep, that kept me out pretty darn well because if you have a thousand users, you know, it takes you a lot of time to slog through that and see, you know, man, there's a - there's, you know, nothing I could do to find out who they were ahead of time. Other things that have kept me out - honestly, just companies that have really good password policies, you know, where it's just, like, 15-character password. You got to use a sentence. And they, you know, require multifactor authentication for everything. That's really, really solid. Like, it's really hard to try and guess a password when it's 15 characters long, and it's really, really hard to try and - you know, even if I have a password, if you have a cellphone that I need to have or if you have a code or a token or something else in addition to your username and password, it makes it really hard for somebody like me to break into your account because I don't have those things, right? So that makes it tough. 

Eric Escobar: But yeah, more often than not, I'm successful at achieving some level of the objective, but there are definitely companies that I haven't been able to breach. But the other thing that I always like to remind our clients of - like, look. You have, you know, an adversary, a threat actor trying to attack you for a week. If I'm a true nation-state, if I'm a true adversary, I might just slowly try and breach your network over the course of weeks, months and sometimes even years, right? And so that's the other thing to keep in mind, too, that I always tell our clients - is, like, look. Just because I wasn't able to get in doesn't mean that no one is able to get in. I had 40 hours. Some well-staffed and well-resourced, you know, threat actors - if they really want to get in to you, you know, they have a lot more time on their hands to potentially breach your network. 

Andrew Hammond: I'm just thinking about cryptography during the Second World War. Like, to get into Enigma, that was almost an industrial-scale operation that, you know, took many thousands of people hours to deal with. So I think that that's quite an interesting point. Because I can't do it in 40 hours doesn't mean that 4,000 people in, you know, four years won't be able to do it or will be able to do it. And a couple of final - penultimate question - if you could recommend one book for people to learn about hacking, what would you recommend? 

Eric Escobar: So there is a book - and this might be a weird choice, but it's a book that I always reference, and it's called the Hashcat manual. And basically, what the Hashcat manual is is it is a book that's maybe 100 pages long, and it's, like, maybe $10 on Amazon. And what it does is it has all the known types of hashes and encryption functions. And basically, you have - say you have the word password. How do you mangle that? How do you encrypt that? How are the processes that it's done to encrypt and secure that? 

Eric Escobar: And it's not, like, a - this is how you get started hacking. But it just shows you all the different methods that super, super-smart cryptographers and people have come up with to secure and safeguard cleartext information. And so while it's not, like, a - this is a get-started guide on how to start hacking, you know, "Hacking for Dummies," I just appreciate it, and I like it from the sheer fact that it is something that I reference quite often. And it is something that just goes to show that there are so many different ways to solve a problem. 

Andrew Hammond: Wow. This has been so fascinating. Eric, I've really enjoyed speaking to you. I feel like I could speak for another hour and a half. 

Eric Escobar: Oh, we could probably talk a long time. 

Andrew Hammond: But to be continued, maybe at DEF CON next year. 

Eric Escobar: Yeah, absolutely. 

Andrew Hammond: Yeah. This has been a lot of fun. Thank you ever so much. 

Andrew Hammond: Thanks for listening to this episode of "SpyCast." Go to our webpage, where you can find links to further resources, detailed show notes and full transcripts. We have over 500 episodes in our back catalog for you to explore. Please follow the show on Twitter at @INTLSpyCast and share your favorite quotes and insights or start a conversation. If you have any additional feedback, please email us at spycast@spymuseum.org. I'm your host Dr. Andrew Hammond, and you can connect with me on LinkedIn or follow me on Twitter at @spyhistorian. This show is brought to you from the home of the world's preeminent collection of intelligence- and espionage-related artifacts, the International Spy Museum. The "SpyCast" team includes Mike Mincey and Memphis Vaughn III. See you for next week's show.

SpyCast
Podcast Info
HOST(S):
Andrew Hammond
Andrew Hammond, Ph.D. is Historian & Curator at the International Spy Museum, home of the world's preeminent collection of intelligence-related artifacts. Previous chapters have included seven years in the RAF, Public Humanities at the 9/11 Museum in NYC, Fellowships here, there, and everywhere, and academia. He is author of the forthcoming book: "Struggles for Freedom": Afghanistan & US Foreign Policy Since 1979. He loves bialys.
Schedule: Tuesdays
Credits: SPY: Mike Mincey and Memphis Vaughn III, Co-Producers; Emily Rens and Emily Coletta, Graphics; Afua Anokwa and Ariel Samuel, Social Media; Erin Dietrick, Researcher, Scheduler, Editor, Co-Producer, Social Media; Andrew Hammond, Writer, Editor-in-Chief, Executive Producer. CYBERWIRE: Elliott Peltzman, Sound Design; Elliott Peltzman and Tré Hester, mixing; Jen Eiben, Co-producer, Social Media; SpyCast opening music: Wayne Jones, “Cypher” (2018).
Creator: Spy Museum
SpyCast
ADVERTISEMENT
Sponsored by Keeper Security
Sponsored by Keeper Security

Keeper is the top-rated cybersecurity platform for protecting organizations of all sizes from the most common password-related data breaches and cyberattacks. Learn more at Keeper Security.