Luke McOmie: Pyr0's Red Team Journey

[00:00:01] Welcome to the Phillip Wylie Show. Take a look behind the curtain of professional hacking and hear compelling discussions with guests from diverse backgrounds who share a common curiosity and passion for challenges and their job. And now here's your host, offensive security professional, educator, mentor, and author, Phillip Wylie.

[00:00:33] Hello and welcome to another episode of the Phillip Wylie Show. Today I'm very excited to have my friend Luke McComey joining. If you're part of the hacker and cybersecurity community, you may know him as Pyro. Kind of thought about having him on because I guess I'm trying to think was, was this the first time we met in person? Was it Nolicon last year? Yeah, yeah. It's crazy. We've known each other online for a long time, but it was nice to actually finally get to shake hands. Yeah, same. And that's the nice thing about the conferences like Nolicon that are a little bit smaller that it's easy to find people. So those kinds of conferences, a lot of the people you want to know,

[00:01:02] they're easier, easier to find than trying to find them at DEF CON. Absolutely. I, I, I've been telling people lately, it's like, I, I had a couple of years there when the pandemic hit and I kind of pulled back from going to the really good conferences, right? RSA, Black Hat, DEF CON. It was the first time I'd missed a DEF CON in, in years and years and years, but I found a lot of value going to these smaller events. So we've been hitting like all the B sides, all the DC different events that we can go to, you know, the DEF CON group events.

[00:01:30] Um, overall, it's one of those things where I think there's an incredible amount of value in it. And I find that those smaller events, it's easier to build relationships and to meet people than it is sometimes with, you know, 48,000 people in Vegas. Yeah, I agree. And it's just so much easier to focus. There's so much noise, you know, distraction at the bigger conferences. So you don't know where to go, what to do. And so, yeah, those small ones, I really enjoy.

[00:01:55] One of the things I'm wearing my GERCON shirt today, I found out that, man, it's really amazing how many great conferences the Midwest has. Yeah. Yeah. It's a, they just did the wild whacking or wild west hacking fest here. You know, the various B sides that are around are great. I got to jump in at Columbus and Pittsburgh and Denver last year, really had a good time at all those different events.

[00:02:18] But I think it's picking up, you know, it's, it seems like every single time I turn around, I see like a new call for papers or a new event that's spinning up. And I think our industry needs it, right? We, yeah, especially in some of these smaller remote areas, you know, people don't have the budget or don't have the opportunity to do big events. So it's cool when there's something regional they can drive to. Yeah. That's, that's really nice because before in the past, you know, the, the B sides are good, but that's usually a lot of times the limitation, but to have these, these smaller hacker cons are pretty nice.

[00:02:47] And then as expensive as DEFCONs getting, I see that the badges are going up even more this year. Yeah. I'm happy I have my gold badge. Yeah. That's good. So how did you win your gold badge by the way? 23 years of service as a DEFCON goon. Okay. Yeah. You deserve it. Yeah. You retire after I think you have to serve at least 10 years to get the gold badge. Wow. So yeah, I should have two. So Jeff, if you're watching this, like, you know, I'd happily take another.

[00:03:13] Very cool. So yeah, before we get started too much further, as I kind of mentioned, if you wouldn't mind sharing your hacker origin story, kind of how you got started out. Sure. So I was one of those kids that was always in trouble, big fish, small pond. I grew up in Lander, Wyoming, tiny little community, about 7,000 people right on the edge of the Wind River Reservation. My mother and father were exceptional parents, still my favorite people on earth. They, you know, my father was a cop, a firefighter, did all the public service type stuff.

[00:03:43] My mother was a bank teller. And as expensive and as challenging as it was back then, I remember them buying an AST 486SX from Radio Shack. And it just kind of opened up my whole world. I'd got to play with Commodore 64 before that. I was recording, you know, stuff out of Dr. Dobbs journals onto audio cassette tapes and could never make it work right when I'd play it back. But it really, the first time I had a computer in the house was that old 486SX.

[00:04:10] And I started fooling around on it, trying to get it to run different things. Back then, BSD was really the big thing. And Slackware, I think it just dropped. I still remember installing one of the first revisions of Slackware and feeling like, you know, it was a hell of a lot easier than BSD, it felt like. And now, looking back at it, it's still incredibly difficult compared to what the kids are doing nowadays where they don't have to build their own kernels or their own modules or anything like that.

[00:04:38] So it was a good introduction. But I ended up getting into some trouble for hacking the school district. They had an old Novell network. And I wrote a script that made it to where every single time a user would log in, it would go to the administrative directory. And it would use the send command to send a message to everyone, so every single logged in user, that would say, I am God. Well, because these are old token ring networks, and I put it in as part of the login script, I ended up DOSing my school district.

[00:05:08] I totally didn't mean to, but every single computer had this message flashing from every single time a user would turn on a system or log in. So got some unwanted attention at that point. That led to us creating RootSeller Security Team, originally known as HAC, Hackers Against Corporate Culture. And we had about 12 people at the time that were doing a lot of really cool offensive security work.

[00:05:29] And we were a professional company at the time that we were helping like Bureau of Indian Affairs and some of the other government and businesses that were there in Wyoming. School districts out on the reservation, that kind of a thing. Not just with security, but, you know, technology coordination. So we were getting our hands on all kinds of cool things like satellite uplink hardware that was being used because Cisco was bringing internet into the classroom in these, you know, incredibly remote locations. And it was part of a federal grant.

[00:05:58] But that led to us speaking at DEFCON. And I believe it was DEFCON 8 that Shatter and I did the first FAC the Kitties speech. And FAC the Kitties, FAQ, FAC the Kitties, became what is now DC 101 or DEFCON 101, which is one of the more attended speeches that everybody goes to this year. If you've never attended the event, it's kind of that first thing that you got to go check out to get the lay of the land.

[00:06:25] But through different types of things that we were doing, different types of work we were doing, you know, we got to speak at the Rocky Mountain Security Conference. We ended up meeting John Perry Barlow, who really kind of became a champion for myself and my team when we were looking at some investigations and prosecutions coming our way. Based upon some of the computers that we had hacked out in Berkeley that turned out to be some of the first honeypots that were really being deployed and they caught us easily. Because we didn't know that we were supposed to be watching for that stuff.

[00:06:55] And I was like, can you guys believe how easy it was to hack these computers? And years later, I found out that Pete Shipley and some of the other folks who are friends of mine now were folks who were working at Berkeley at the time when all that was going down. So it was kind of funny to hear their side of those stories as well. You know, Root Seller grew and became a pretty good business for us for quite some time. And I, following a divorce, moved down to Denver and got very involved with the 303 hacking crew.

[00:07:22] For those of you who have never heard of the 303, they're one of the longest running, oldest, and still strongly supported hacking fraternal sorority, however you want to look at it. But it's just another group of us punk kids and other kids doing things that we probably shouldn't have been doing back in the day. Getting in with 303 was really the big step for me. Started going to Defcon, Black Hat, doing B-sides and all these other types of events. I was working with Defcon as a goon pretty much my second year in.

[00:07:49] And it was something that just really led to me becoming someone in this community. And I got the opportunity to fly around the world, speak at a lot of places, and have done a lot of work. On the professional side, you know, worked for the government for five and a half years. Chris Nickerson, Ryan Jones, and I spun up the security practice at Alternative Technology that got bought out by Arrow Electronics. When we split from there, I went to British Telecommunications. Chris spun up Lares.

[00:08:16] Ryan went over to, I think, Cisco at that point, maybe IBM. But then we all stayed friends and all continued to communicate through the different jobs we had. Ended up working for One World Labs, helping out at Mayo Clinic for a year. That was a great engagement. Got to help a lot with offensive security and some of the stuff they're doing around vulnerability management out there. British Telecommunications, as I had mentioned before, I worked for them for many years, doing ethical hacking.

[00:08:41] Ended up at Coal Fire, did five and a half years at Coal Fire Systems within their labs group, and also worked as a VC fractional CIO kind of advisor within the organization with some of the larger clients we have there. And then after living there, boy, it's been four years now, I went over to Blue Bastion Ideal Integrations, where I had had a 20-plus year relationship as a consultant. And I was able to spin up a red team as part of the existing practice there.

[00:09:11] So that kind of brings us to modern day. But yeah, one of those punk kids doing a bunch of stuff I wasn't supposed to be doing who got lucky and had some good leadership and some good guidance and people watching over my shoulder that kind of pushed me in the right direction. That's cool. I bet. I'm sure you've seen some pretty cool stuff. So it kind of makes me think one of the reasons I wanted to get you on is because I saw the, was watching and listening to the panel that you did at NOLACON with AD and Mariana and some other folks.

[00:09:38] And you were talking about some of your, some of your red team stories. So I thought it'd be kind of interesting to hear some of your, your war stories. Yeah. Yeah. It's, it's, you know, there's all the, there's the big ones that we've done, you know, got to do some really neat stuff with federal reserves and some of the largest casino groups in the world. Obviously tons of banks that we've got to break into, but you know what? It's funny when I, when I think back to some of my favorite, like truly favorite red teams over the years, some of them are not the clients that you'd think.

[00:10:07] I had a, I had a company in Chicago. Got to be careful about how much I say, but the company in, in, in Chicago specializes in flooring and carpets. Put two and two together there probably to figure out who I'm talking about, but they're one of the larger flooring providers in our country. And they hired us to do a full blown red team, physical pen break in middle of the night, compromise computer systems, you know, see what we could exfiltrate.

[00:10:33] I did that with one of my coworkers at coal fire years ago. And that's one of those that when I look back on it over and over again, it was crazy fun because they had this huge, huge, massive building and they had gone through this stuff before. And the previous people had really not put in much effort in trying to break into them. And they'd done some basic network pen testing, you know, some, some basic phishing, that kind of a thing. We, we dropped USB keys. We, we walked into the business, you know, and tried to get tours of the facility to get an idea of the layout.

[00:11:03] We'd applied for a job there that made it to where we were able to get into the office area. You know, go in and talk to people about, you know, getting a potential job in their call center. But in the end, really late at night, my coworker and I ended up using a fire escape ladder on the side of the building, you know, one of those caged ladders.

[00:11:22] And, and my coworker, not going to drop his name here, but was deathly afraid of heights and thought that I was absolutely insane about going up this old rickety, rusted up, nasty, you know, escape ladder. And we get up on the roof and, you know, typical big warehouse industrial building. That's just massive, massive, you know, blacktop type of roof. And we knew that there was a little spot off to the side where they had like access down into the building.

[00:11:51] And we walked over the store thinking that we're probably going to have to pick the lock or, you know, force the gate or something to be able to get into the door. But it was completely unlocked and left open. For those of you who don't do red teaming or physical work, you'll find that pretty much anything that isn't on the first floor in most buildings, it's about a 50, 50% chance as to whether or not somebody locked it. So if you can ever get rooftop access, a lot of times getting into the building from the rooftop is very, very simple.

[00:12:16] Some states even require, I believe, that rooftop doors have to remain unlocked for safety purposes or reasons. But it was fun. And we got into the doorway and it was between the two sections of the warehouses that had been built. So it was kind of like a, what do they call it, a firewall between the two areas. And we used like the little fire escape to go down into the building.

[00:12:41] And the best part was is that as we get down to the base, we realized that we're, you know, a piece of drywall in between the secure cage and the area where we're at. So literally it's one of those where, you know, our clients sitting there and had told us not to do any kind of destruction. So it's like, we're sitting there trying to figure out ways. It's like, how do we get proof that we can get into there, you know, through the drywall? I could just knock a hole in the drywall that the clients can get mad that we're doing physical destruction.

[00:13:10] So instead we walked out of the little access area. They had like a maintenance door that led into the stairwell. We walked out of it, walked right over to the cage. And this is like middle of the night. Nobody's supposed to be in there. The only people that are in there are working in the warehouse. They're like loading stuff onto trucks and they've got like a call center that's like a 24 hour help desk call center. And we walk over to the door of the cage and it has this big, massive, crazy like abacus lock on it, but it's not locked. It's just like safety hooked through the gate.

[00:13:40] So we're able to take it off, walked in, and then we had access to like every single thing in this building. Every one of their client lists, all the credit card information and detail. This company has been around forever and a day, and they were doing a lot of their work back in the day just on like paper receipts. So it was like full blown credit cards and that kind of information. But it was one of those jobs that like as a consultant, when you first get told, hey, you're going to go out and like hack this carpet company, it's like, what do you do?

[00:14:08] But it's like, it's not as attractive as like being told you're going to go break into like a series of banks or credit unions or something like that. But the job itself, like I said, ended up being incredibly fun. And we compromised all these computers inside their environment. We're running con boot and other stuff off of USB keys to be able to go flash and bypass the local administrator, which gave us access to the computer system.

[00:14:32] And then we're dumping creds and details off of the systems themselves and connecting back out to the listeners that we had running at the hotel. But it was a good time. Another one that comes to mind that I dig that again, not the most attractive thing in the world, but was a super fun engagement. Eric Smith and I from Lara's did this job on a school district in Texas one time. And it was the same kind of thing.

[00:14:57] They wanted to know if a student or an employee was being super malicious, you know, what could they accomplish? And, you know, yeah, we broke into the school. Yeah, we were able to get access to all this cool stuff. The neat part was that there's a picture that's floating around somewhere and it's me standing in this huge walk-in vault for the school district. And I'm holding all of these credit cards like in my hands. And Eric took this picture and it just looks like, you know, I'm going to make it rain with all this plastic that I've got.

[00:15:26] But the fun part about that gig was that when we were trying to figure out how to get into the school building, Eric had found this like old wooden door that was locked with just like a basic master lock on the outside of the school. And when we'd gone back that night, we picked that lock very quickly and entered this area into a spot of the school that was like bricked off.

[00:15:48] And it turns out that it used to be the old like locker room for the boys and the girls, like for their football team or the field sports. And it wasn't something that they used anymore. Apparently, something had gone wrong with the plumbing or something else. And when they built the new gym, they'd shut this off. Eric and I, we didn't know that it was bricked off. And when we first broke in there, we're just super, super stoked to, you know, get in as quick and as easy as we did.

[00:16:14] And we started walking through this area and you could hear like crunch, crunch, crunch, crunch as you're stepping. It was like, what's all over the floor? Is it shattered glass or what's in this junky place? And we looked down and it was just like one of the Indiana Jones movies. Just absolutely covered it. The grossest collection of cockroaches and centipedes and just everything you could possibly imagine.

[00:16:38] And this area, because it had been like a damp bathroom for all those years before they had shut it down, was just like a breeding ground for all of these different insects. Truly one of the creepiest like things I've ever had to like deal with on, on one of these engagements. Cause it was like stuff's fallen in our hair and crawling down the back of your shirt. And it was just miserable. But definitely one of those that stands out in my mind is as unique and a, and a fun time doing this type of work.

[00:17:05] So what, what is one of the most scariest stories as far as, you know, getting caught or almost getting caught? Yeah. Uh, interestingly enough, um, I've really only ever been caught twice in doing this work where I had to like fully stop and present like a letter of authorization and explain who I was and why I was there.

[00:17:24] And in both of the cases of me quote unquote getting caught, I actually didn't stop the engagement because even though the person was asking me for a piece of paper, I still had a backpack full of data and material and information. So I kind of ran with it. And the first one that I'd mentioned on that was over in Scotland, I'd gone over there to do work for RBS and for Sykes, the call center and like help desk company. They manage this stuff for all kinds of different groups.

[00:17:52] So they had me like in Canada, which is a whole other fun story. And in Scotland doing this work and down in Tampa, I got a hack of the beer can building, the great big, huge round building in Tampa that says Sykes at the very top of it. That was a fun job to go break into. But the Scotland one was great because they had this, it was like their administrative offices and it was, you know, double secure door, man trapped, you know, access card to get into the building. All kinds of crazy stuff.

[00:18:21] And I ended up going and sitting out in the parking lot and waiting until lunch was coming. People were coming back in from lunch and I piggybacked in through like the man trap and just kind of talked my way, social engineered my way with the person that I was doing it with. And they seemed completely chill. And I said I was from ADT. I had the T-shirt and I had like an ADT access badge and it looked like I was there helping with their security.

[00:18:43] And immediately within getting into the building, I went up to the upper levels where they had like conference room and their administrative or their executive level type floor. I walked up, I plugged in to the network in this conference room, started trying to sniff traffic, trying to grab creds and doing other types of things in the environment. And this lady came walking by and she was head of the security for the building. She'd apparently been looking at me from the moment that I was approaching and the moment that I'd gone through the man trap, like piggybacking.

[00:19:12] They knew something was up. So she's yelling at me and she's like, who are you? Why are you here in this building? Like, you know, you need to stay where you are. And I'm like, you know, my name is Luke McComey. I'm here with ADT security. Totally wasn't. And I'm here working on your guys' security system today. Is there, you know, can I help you with anything? She goes, I'm head of security. You are not from ADT. I know you're not here from this. They would have coordinated and talked to me before. You know, tell me who you are.

[00:19:39] And I'm like, I told you, I'm Luke McComey. And she goes, well, come with me. And she grabs me, grab my laptop, my unplug from the wall. She starts walking me down to the front desk. And at this point, I'm sitting there going, you know, I have a letter of authorization in my pocket. But at this point, she still hasn't technically busted me, right? Like, so I'm sitting there and I've got a backpack full of laptops and sensitive files and data that I've stolen out of this business as I was walking through and popping pile cabinets and doing all this other stuff before I got to the conference room.

[00:20:08] And she gets on the phone with police and I'm like, oh, this is going to go well. So I'm looking out at my car sitting out in the parking lot. And I'm like, what's she going to do? So I get up and I walk out. I jump in my car and start pulling out of the parking lot. And her security officer, the assistant, great big huge dude, like tries to jump out in front of my car. And I just drive around him and I get on the Metro and I just start laughing. And I'm like, this is great. I've got this laptop full of all this gear.

[00:20:38] And yeah, maybe they stopped me before I was able to pwn the network. But I've just, you know, I got out of there and I've got laptop sensitive data. I win. Don't care that she figured it out. And I'm just giggling and laughing the whole way. And I drive back to the Marriott at the airport in Edinburgh. And I walk into my room and the dude who I'm doing this work with, who's from Ireland, who was my point of contact, also had a room there. And he was waiting. I walk up to his room. I bring the backpack with me. It's got the laptop, all the papers and everything else.

[00:21:06] He goes, yeah, yeah, it's too bad that they caught you. And I go, yeah, they may have caught me, but they didn't stop me. And here I am. You're the person I'm delivering this compromised material to. You know, they lost. I don't care that they grabbed me out of a conference room. I was still walked out. I got in the car and I got here. They did not bust me. And he goes. He points over at the window. And I walk over the window and slide back to shades. And the entire parking lot is full of cops.

[00:21:34] They had used the nanny cam and had just watched me leave the building. They watched me drive down the metro, like down the highway. They watched me exit off at the airport. They watched me drive to the Marriott. They watched me walk out to Marriott. Like, I got to see the footage later. And it was like, oh, yeah, in this country they have cameras everywhere. Where I can't just like, quote unquote, drive away and disappear, like without some additional effort. So I think that's probably one of my favorite ones of getting caught, but not getting caught.

[00:22:02] The same company, when they had me in Canada, they sent me to Waterloo, Ontario. And I went up to Waterloo, Ontario. And, or no, I'm sorry. The location was London, Ontario. And I went and I hacked this bank, walked in, plugged into the environment. The network started sniffing just gigs of traffic. It compromised multiple machines, had shells back out. Was just super ecstatic. I had done like one day of surveillance, like the night before, where I'd watched like the cleaning folks and people leaving the business. So I had an idea of when it was going to let up.

[00:22:32] And I went in, it was like 3.30, 4 o'clock at night. And just before everybody was getting to leave for the day. And I sat on a computer with my like back to the wall so I could see everything else that was going on in the room. Nobody cared about me. Nobody was even paying attention to me. And I was like, man, this is just awesome. Just completely own these guys. And I'm not even through, you know, the end of the second day of a week long engagement. This is going to give me all kinds of opportunity and time to go do other stuff. So I leave the, leave the site after I'd compromised everything. Again, backpack full of materials.

[00:23:03] And I call my, my point of contact, same gentleman who had been in Scotland with me. And I said, Hey, I've got everything. You know, we're good to go. And he goes, yeah, Luke, there's, there's been another problem. And I'm like, they didn't catch me this time. Nobody even knew I was there. I walked in, did all this, walked out and they go. Now the problem is, is that the computer system in the environment you plugged into isn't owned by our client. It belongs to the Canadian banking system.

[00:23:31] And you have violated PIPEDA by capturing all of these financial transactions and all this other information off the secure environment and network. We are currently talking to the government and to the points of contact out there in London. This is a really big issue, Luke. And I go, what do you want me to do? And he goes, nothing right now. We, we really don't know what next steps are, are going to be on this. Just make yourself available. I go back to the hotel and there are cops sitting out in front of the hotel, whether they were for me or not.

[00:24:01] I still, to this day, don't know, but it freaked me out. So I call up my buddy and dead addict. And y'all might know him. He was one of the first DEFCON goons. And he was in Waterloo, Ontario. And I called up him and Neon Rain. They were dating together back then. And I, I was like, Hey, you guys, I just did a job here in London. I've got cops after me. I'm afraid to go back to my hotel. I've got like my clothes, my shoes, everything else up there, but I've got all my gear and my tech. You know, can I come crash on your couch until I figure out if this is going to blow over or not?

[00:24:31] And Eli, of course, was like, yeah, yeah, come and stay. So I went and hung out with him, Desiree, a couple other people. Did good dinner, had a good time. Ended up spending like the next two days with them because I didn't want to drive back until I had to, you know. And I go, I leave Friday and I drive back and I go to the airport again, left everything at the hotel. I was like, it's a couple changes of clothes, a pair of shoes, all my hardware, all my gears on me. Like, I'm not going to do this. Like, I'm not going to go get busted.

[00:25:00] I go to the airport and as I go through security, no problem. Get my ticket, no problem. Drop off my, the luggage that I was checking, no problem. Everything was, was pretty smooth at the time. Left all the other stuff back at the hotel and I'm sitting at my gate and just happy as could be sitting there texting my wife at the time. And, and was just, you know, kind of telling her a bit about the story and kind of wondering if things were going to go good. And then all of a sudden I felt a hand on my shoulder and person goes, Luke McComey.

[00:25:29] And I go, who are you Luke? And I go, yes. How can I help you? And they go, you know, we're with Canadian blah, blah, blah government. We're, we're here to talk to you. We understand that you were doing a contract with, with Sykes and that you were at this facility in this location at this time. We believe that you've potentially compromised networks or environments that were not in the scope of your work. And it's something where we have to take action on this. They pulled me into a small room.

[00:25:57] At the time I was working for British telecommunications out of London, England for a U S based contract with Sykes out of Orlando. And I was in Canada after already having a bit of a head bump with, with law enforcement in, in Scotland, just a couple of weeks before. So as you can imagine, the Canadian government at this point is not too happy with.

[00:26:22] And when I had done my form coming into the country, it said, you know, are you here for personal reasons or for, for business? And I checked both. Cause of course I, I meant to go hang out with my friends, you know, that I can, and neon and I wanted to hang out with them. So I knew I was going to be doing personal stuff. So I just checked both. And apparently that raised some crazy flags with them in the end of British telecommunications and Sykes agreed to, to destroy the data and, and to wipe my laptop.

[00:26:48] So there was just no question about the material that I'd gotten access to that. I didn't have it. Couldn't use it. Any of that kind of a thing. And they wiped it, handed it back to me. And then I took a, a later flight home. Well, the worst part of this story is, or the best part, depending on how you want to look at it, is that when I got back to Denver, I'm walking across the jet bridge from, from a terminal a. And this is something you don't have to get on the train. You know, it's got like this little walk over and there's, you know, the, the little automated sidewalks and all that.

[00:27:18] And as I'm walking along, I keep hearing this click, click, click, click, click, click, click. And I'm like, hell is that? And I take off my backpack and I'm like, what is it? And I lean over and I feel something and I'm like, oh no. And I pull out a USB key and it was persistent boot Kali USB key that I had used for the attacks. And it had all my PCAPs and all my dumps on it.

[00:27:40] So I'd gone through all of this harassment for having this data that I wasn't supposed to have, still was not supposed to have it, wasn't supposed to have it back in the U.S. So when I wrote the report, it had all the screenshots, all the work and everything else that I had done on that engagement. But I specifically censored and sanitized and then destroyed the data of anything that was related to the system or that I wasn't supposed to be on the system. I wasn't supposed to be doing that stuff on that second day.

[00:28:07] And it was great because when the client got the report, the client's like, how were you able to, were you writing the report while you did the engagement? How were you able to get all these screenshots and everything? And we thought they destroyed your computer. And it was like, well, they did. But, you know, a lot of this stuff was stuff that I had captured already and had been working on it. So, you know, that's how we were able to get it. But a little bit of a white lie there. And it was one of those where I just, I remember thinking back at that and looking back at that nowadays.

[00:28:32] And it's like, man, I am really, really lucky that that wasn't a bigger slap on the wrist than it became. You know, in the end, it was having to sign documents saying, yes, I've destroyed the data. No, I do not have access to this. Yes, it was done for a professional reason. You know, no, I was not targeting random people in Canada. But definitely one of those types of engagements where you sit there after it's done and over with. And you're like, I'm really lucky that played out the way that it did. Yeah, yeah, it worked out well because you weren't lying. You didn't think you didn't know you had it.

[00:29:01] Oh, I had no idea that I had the key on me still. So, yeah. What about one of the things I wanted to do? We have a lot of people that watch that are trying to break into cybersecurity or offensive security. What are some tips for you for anyone that wants to get into red teaming and physical pentesting? Yeah. Yeah. You know, when I was starting in this, no one did it. We were one of the first commercial teams to really do red teaming. And it was incredibly difficult to do it.

[00:29:29] Essentially, we were a bunch of criminals that at that time had to convince people that we were going to come do criminal activities to them in a way to be able to help them. Right. So, you know, 30 years ago is a very different world than it is today. Today, you know, I speak to various schools and groups as their classes are getting ready to graduate and as they're coming out into the industry. And one of the big things that I tell people nowadays is pursue the classes and the training.

[00:29:58] You've got really amazing training out there that's available to you now that none of us ever had. You know, Red Team Alliance, for instance, DeviantOlam, they do great stuff. Last year, there was an event that some of my team went to. What was it called? Rock'em, sock'em, lock'em something. I can't even remember. They held the event in like a prison. Rock-a-locka, bang-bang. There it is. And that was my team came back and said that was a really great event to attend.

[00:30:25] Got into lock picking, forcing locks, bypass techniques, all kinds of really cool stuff. I also tell people that from a certification standpoint, the CRTO, Certified Red Team Operator, really great certification. You know, good breadth of different types of things that you need to know or things that you need to get into in order to do this work.

[00:30:46] But I find that, you know, it's a lot easier for folks nowadays to be able to go to a conference and to take a class on lock picking or go to a class or go to a conference and pay for a class on doing physical security control evasion or bypass, right? This stuff just was never there. So I would say really lean in heavily to the industry and the courses and the classes that are available. There's also been some really good books written on this stuff.

[00:31:11] But in the end, the operators that I see that do really well at this stuff are people that have spent a bunch of time in their youth or, you know, even currently doing a lot of things in like urban exploration, right? Where it's they're going out and they're exploring old broken down buildings or they're doing things to help identify or notice security flaws or vulnerabilities that exist at their current workplace, right? Those are the folks that have that interest and that spark.

[00:31:37] And if they've got the aptitude to be able to do that, then it makes it to where, you know, it's kind of a shoe in the door to get to go do this work. The caveat to all of this is that I'll tell you that most professional teams, my team included, you're not going to walk in day one of your penetration testing job and start doing red team operation work.

[00:31:57] Usually, you know, people have got to kind of burn their chops and you've got to come up through penetration testing and learning how to hack Wi-Fi and learning social engineering and all these other skill sets that are something that will contribute to those on-site type engagements. But again, take advantage of the training, the speeches that people are doing. There's a lot of great ways to get into this stuff. I find that a lot of the grotto groups or caving groups in different communities also tend to have a urban exploration component to their grotto.

[00:32:24] And it's also another great way to get permission to go explore some of these locations and buildings legitimately without having to worry about getting busted for breaking in or in or trespassing. Very interesting. So, yeah, it's kind of interesting to see how things have kind of evolved. Do you see as much of those type of red team operations and type of pen tests now? Because I know it seemed like PCI compliance kind of drove stuff to be less full scope.

[00:32:55] So do you think there's still much opportunities for those type of assessments? I do. We do a lot of them, especially with mature clients that are following a best practices approach, right? When these are the clients that when you talk to them, they'll say, yeah, we're doing SysV8, right? They're not locked into a NIST standard or ISO. They're taking a more broad approach to the controls or the different types of things that they're chasing from a compliance standpoint.

[00:33:23] Interesting enough, too, we have started to come across insurance underwriters that are requiring physical security testing of the buildings controls, physical access, those types of things. Even incident response or emergency response type things when they're doing their underwriting. So just as insurance underwriters will say, you know, you've got to have an annual pen test. You've got to have continuous vulnerability assessment.

[00:33:48] We've now started seeing some there like you have to have a physical security and safety controls assessment as part of what we require for underwriting. So I think that you're going to continue to see a lot of that type of work. The other thing that I've noticed is that since businesses have started returning to work following the pandemic, a lot of those corporate locations were locations that went through or had compromises while people were out and away. Some of this is evil made attack.

[00:34:16] And it's, you know, people who worked within the business or the building that literally have gone in and broken into people's desks or the file cabinets and stole things they weren't supposed to. You know, most of the time it's not sensitive company data and stuff. It's like petty cash or other things like that. But watching people return back to the workplace, we've also seen an uptick in physical security asks and people wanting to do kind of those full scope assessments of having us come in and do that work.

[00:34:41] I think the big thing is that as attractive and sexy as it is, that type of work is not usually appropriate for a business unless they're fairly robust in their security and the maturity of their security program. Right. We get a lot of folks and they watch Tiger Team back in the day and they'll know me through that. And it's like they want us to come break in and drop in skylights and, you know, rob their business and do all this stuff. And it's like we're more than happy to do that work.

[00:35:07] But if you haven't done the basics around asset inventory, if you don't have an acceptable use policy, if you've never, ever done any OS hardening within your environment, if you don't have some kind of robust security and control system, you're probably wasting money. Right. We always tell people it's like instead focus on those those major movers, the things that are going to make a big difference in your environment. Always do the internal external penetration testing. Always do wireless assessments.

[00:35:35] You know, these are the things that can really help you from a technical perspective, at least understand the overall risk posture that your business is likely facing because you get a good glimpse at that larger environment, larger scope that way. But we're getting down towards the end of the episode. Is there anything you'd like to share before we close it up? Yeah, I think really, you know, one of the big things that that has been beneficial to me throughout my career is that I'm an extrovert and I am one of those few people at the conference that is. I'm happy to see everybody.

[00:36:04] I've got a smile on my face. I'm happy to hug everybody, you know, and I would tell others out there to embrace that. Even even if you're an introvert, finding your community and finding your people within this industry is something that can be life changing and very positively impactful. So I would tell you, you know, if you're going out and you're going to be attending your first DEF CON or a B-Sides or these types of events, participate, you know, go to the villages, go to the lockpicking classes, do anything and everything you can.

[00:36:33] But during that time, take the time to introduce yourself to people and take the time to, you know, offer to buy somebody a drink. You never know over that beer, you may end up building a lifelong relationship and somebody that you'll be friends with 20, 30 years. Yeah, that's great advice. That's one of the things that I love best about the conferences and even the online community when you finally get to meet people in person, like getting to meet you last year. So that's one of my favorite things. So yeah. Special.

[00:36:59] I love it because it was, we had mutual friends that were trying to introduce the two of us and it's like, we both knew who each other were. We'd never had the chance to hug it out before. So again, that was, that was one of my favorite moments from, from that conference. But in person, no, sorry. I was going to say also, a lot of people haven't heard of some of these events like RBA SEC and NOLACON and some of these other regional events. And they're gold.

[00:37:23] If you were in the area and you have the opportunity to go to one of these events, do so because they are just special and exceptional with the people you'll meet, the opportunities you can have. If you're looking for a job, don't show up empty handed. Bring a CV, you know, make it to where you're sitting out there shaking hands and telling people you're looking for work. That's great advice. Yeah. One of the things I loved about NOLACON, I like a lot of the, I like some other small conferences, but I think one of the best things I liked was the single track.

[00:37:53] So if you're speaking, you don't have to miss someone else's talk. If you're seeing one presentation, you don't have to worry about missing another because it's lined up where you can see every talk that's happening, which is pretty cool. Yeah. I think it's a good lesson. I see a lot of the B sides where they'll do multiple talk tracks, but they only run the conference for one day and everybody ends up doing exactly what you said. It's like, what am I going to skip or what am I going to miss so that I don't see, you know, so that I can see one thing or the other.

[00:38:21] I like NOLACON's format because they lay it out over, you know, if you include the training, it's like a five day span of time. I think the conference itself is like two or three days. But, but to your point, one large room, one speaker, one at a time, and it makes it to where you can really get value out of, of, you know, attending and being there and not having to feel like you're missing cool stuff.

[00:38:43] The other thing that I love about like NOLACON and RBASEC, both of these events, amazing, like evening events that go on, you know, as far as like the happy hours and, you know, Tatey's out there doing his performances as, as dual core. Or you've got all this really cool stuff that goes on in the evening. So some of the greatest moments of these conferences are not necessarily even at the conference themselves. It's while you're out having cigars and drinking whiskey with somebody that, you know, you've idolized your whole life.

[00:39:12] Like I got to a couple of years ago at RBASEC with a few friends, but yeah, that's, that's really the big thing I'd tell people is get out of your room. Remember why you're there and run yourself dry. Go, go hard. Don't skip meals. Don't skip showers. But, but, you know, you can skip some sleep. Cause it's the one chance and that one opportunity where you really have to hang out with people and build relationships and do something neat. Yeah. Well, thanks for taking the time to join me today. It was great catching up with you. So much for having me. Quite an honor. You're welcome.

[00:39:43] It's an honor to have you on. It's great to hear your stories and I can't wait to see you in a person sometime soon. Yep. You going to NOLACON this year? I need to look that one up. I forgot to submit a talk this year. Is the CFP still open or, you know, it's closed? I don't know that it's still open. I'm going to say this year, we're going to do the same panel again that you were talking about. We've got a little bit more stories that we're going to come back and tell, but we're also going to be out there because Blue Bastion, my company, will be doing the penetration testing.

[00:40:08] So if you're looking to get into penetration testing and you've got a little bit of network and system administrative background, you'll probably meet the requirements of the class. And it's a pretty fun class. They go through, like, I think it's eight different examples of, like, the top things that pen testers do during that first eight hours of testing, right? So it's the attacking broadcast protocols, SMB signing, care boasting, you know, those types of attacks.

[00:40:31] But it's a really neat way that you can come in and spend a day or two taking this class and walk out feeling way more enabled to be able to understand, one, the pen testing work that other providers are doing for you. And, two, being able to understand the impact and why this stuff matters and see the ease of exploitation in some of the cases. So check us out if you're coming out to Snowback Con. Yeah, I may have to try to make it out there regardless because that's a fun conference.

[00:40:57] I've only been one at a time, was in 2019, and really wanted to go back. So my talk got accepted last year and got to go back. So, yeah, I need to plan on that regardless if I speak or not. Yeah, Rob and Yvonne throw an amazing conference. They're very good to their speakers and the staff who work there as well. It's very much a family-feeling type conference. Highly recommend it. Yeah, best speaker dinner of all the conferences. That's a secret, though. You got to go speak.

[00:41:24] If you don't know what Philip is talking about, you're missing out on some of the greatest food and entertainment that you'll ever have. But you've got to speak at Nolicon. Yes, it's worth that alone. It's overcome your fears of speaking. Yeah, yeah. Good stuff. Thanks. Thank you. Thanks for what? And we'll see you on the next episode. Thank you for listening to The Philip Wiley Show.

[00:41:51] Make sure you subscribe so you don't miss any future episodes. In the meantime, to learn more about Philip, go to thehackermaker.com and connect with him on LinkedIn and Twitter at Philip Wiley. Until next time.