“A man walks into a bank…” That may sound like the start of a joke but as hacker and security consultant Jayson E. Street tells it, it’s really nothing to laugh at. He’s walked into banks, hotels, government facilities, and biochemical companies all over the world and successfully compromised them.
Street is an adversary for hire, Chief Adversarial Officer for Secure Yeti, a DEF CON group global ambassador, and the author of the book series Dissecting the Hack. He sat down with Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password, on the Random but Memorable podcast to share some fascinating stories about how he “hacks” human nature to get in the literal front door and compromise businesses.
Read the interview highlights below or listen to the full podcast episode.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: How did you get into penetration testing?
Jayson E. Street: In 2000, I found out that you could do security and computers. A VP of an internet bank hired me into network security. For the first 10 years of this new career, I was doing defensive blue team work (defending against attackers). Then I realized: I have to start testing the things that I’m making as if I were a hacker.
Around 2010, I was working for a bank, testing our defenses. That’s when I discovered I was really good at robbing banks. I started doing that more, as well as consulting. I branched out to robbing hotels, research facilities, and government facilities.
In 2016, I started a thing that’s never been done before: security awareness engagements where I use red team tactics (attacking cybersecurity defenses), but for educational purposes.
One of the things I love about Secure Yeti is that they believe in this too – that it’s about education, not exploitation. It’s about educating people so they can become better. The red team only exists to make the blue team better. We’re there to help validate their security, build them up, and teach them what they need to do – not just try to tear them down and break stuff.
MF: Can you walk us through your process for penetration testing? I’m sure the ultimate goal is getting in and getting the prize, but how do you approach it?
JES: Honestly, that’s not always the goal. I guarantee to my clients, in our contract, that I will get caught during the engagement. Because again, I’m trying to teach them. If we give them a report and it’s like, “Oh, I just destroyed everything,” the only thing that gets back to the employees is that they failed.
I’ve had to work at giving wins, but I make sure that everybody wins at least once. Then I can say, “Okay, yeah, we have to work on these things. But hey, look at Ann. She didn’t open the door for him. She questioned him. She checked his ID, she reported it to security and he got caught.” It makes it a little more of a positive experience.
There are so many red team people who are so focused on winning and think: “I’m going to go in, I’m going to punch them in the face and shoot the guy.” There’s all this toxic masculinity throughout the red team, unfortunately.
My whole thing is, I don’t want my clients to see sophistication. I want to show them how bad the situation really is – how basic it can be.
" I want to show them how bad the situation really is – how basic it can be."
I’ve got a video that I did at a talk. I use a hidden camera to show how I literally walk through the front door of a bank while employees are still on their lunch break and compromise the first machine in 15 seconds. I finished the attack in under 30 seconds.
An employee did the right thing and stopped me, but then she allowed me to do sort of an interception of the conversation where she thought that I was going to be honest when I talked to the manager. She escorted me to the manager’s office, the manager saw that I was waiting, but there was someone else in the office. The employee believed me when I said, “I’ll talk to him,” and I dismissed her and she left.
I went into the manager’s office and assumed the role of, “I’m here with the help desk. We’re trying to make the network faster.” He escorted me to every machine, and I did a 100% compromise of every machine in that branch, including the wire transfer computer and the network servers. He gave me full access to everything, and he walked with me to do it.
MF: Wow.
JES: Everybody worries about Zero Days. It’s like, “Oh, I got to worry about AI. I got to worry about all this blockchain and the kill chains coming in at us.” And I’m like, “You keep talking about how we need to secure low-hanging fruit. Screw the tree, OK? You’re not ready for the low-hanging fruit. You’ve got fruit rotting on the ground. Pick that stuff up, do some proper asset management, and do some proper patch management."
We want to keep looking at all these other things that we’re supposed to be defending against when it’s the simple stuff of someone walking in off the street. Or someone sending an email that ends up costing a company $300 million.
MF: Can you recall an infiltration where you really had to do your research? Maybe you used social engineering, or monitored people’s patterns at work?
JES: One time I was robbing an institution in New York City. It was across the street from Ground Zero in the financial district. It was very high security. They did not expect me to get in. This is the reason why I still say to this day that the only thing worse than no security is a false sense of security.
They had canine SWAT police officers patrolling the mall and the lobby areas. They had four to six security guards. In the main elevator lobby, you had to show them your driver’s license and get an ID name tag with your picture on it before you were allowed to go through the metal detectors, which led to the elevator and up to the office.
I went in on the first day. I went up to the security desk to see if I could get a job interview. They were like, “Nope, you have to call ahead.”
So the next day I go back in. By the way, you always try to attack people in office buildings with building security between the hours of 4PM and 6PM. The 7AM to 3PM shift, that’s your A team, the people who are on the ball. The 3PM to 11PM shift goes to new hires, the ones that aren’t set in the patterns, the ones that don’t know everybody.
“You always try to attack people in office buildings with building security between the hours of 4PM and 6PM."
When I showed back up the next day around 4:30PM in the afternoon, the company was having a meeting upstairs and there was another guy waiting to get up there, too.
I did a crosstalk attack like I did with that bank manager. I talked to one security person and then I talked to the other one and they saw me talk to that person. They made my ID and created my badge. I struck up a conversation with a guy who was legitimately going to this place like, “Oh, you’re going up there, too?” “Yeah.” It made it look like we were together. So when the receptionist came down to escort us up in the elevator, she made the assumption that we were together.
As soon as we got upstairs into the lobby area, I said: “I’ve got to go to the restroom. I’ll meet you in the conference room.” I go and I see an open door that goes to the mailroom. There’s an unlocked computer there and I compromise the first machine. I’ve already compromised their network. And then I go to the break room.
I don’t attack people over social engineering. I attack human nature. How people operate. Being on the spectrum, it’s like I had to be raised to try to watch people and figure out how normal people work, because they’re terrifying. That’s why I’m so successful at robbing people on five different continents.
“I attack human nature. How people operate."
It’s like the biggest myth that society tells us: that we’re so different. The truth is we’re all humans! I don’t care if you’re in China, Singapore, Brazil, or Britain – guess what? You’re the same people. You all still come up with the same assumptions. You still come up with the same kind of attitudes. That’s what I’m trying to rob – I’m going after human nature.
MF: I’m curious to hear a story where you were just completely shut down at every turn, where people did everything right.
JES: I’m so glad you asked that. No one talks about it enough. It’s like everybody wants to talk about me accidentally robbing a bank, or something like that, because it sounds cool.
But I did rob a bank in 2020 where it was a fail. I had robbed the same place in 2019, and I destroyed them. They’d never had a red team engagement where they actually got up into their office area. And within 30 minutes, I was sitting at the desk of the person who hired us. When he came out of a meeting, he saw me at his desk. He had to go with me to take the badge back that I had stolen off of someone’s desk. It was bad. But that’s not the story.
Companies are paying for you to communicate to management why these changes need to happen. I did a report. I didn’t do a nice little written report. I educated management about what was going on, how I was able to do these things. I had security go on a walk with me and watch as I compromised some people live – and their jaws just dropped.
In January 2020, I went back to this client. I changed my appearance. It’s like I knew it was going to be more difficult. I might be recognized. It was a brand-new receptionist. Didn’t matter. I didn’t get in. I walked up like I owned the place. I didn’t even get to the stairs in the lobby before she said: “Excuse me, you need to sign in.” I was like, “How does she know I’m not an employee?”
That year, during their company all-hands meeting, the CEO, who only gets one hour to speak, spent 15 minutes on security. He spent 15 minutes talking about the responsibilities of employees for security awareness, maintaining the security of their personal items, computers, and cubicle space.
“During their company all-hands meeting, the CEO, who only gets one hour to speak, spent 15 minutes on security."
They also instituted color-coded lanyards. If you had a green lanyard, you were an employee. If you had a red lanyard, you needed to be walked in and escorted everywhere. And if you had a yellow lanyard, you were a contractor, but not trusted. I didn’t know that at first. So, I registered. I put the name of the person I’m supposed to be working with, and then of course, I was like, “I need to go to the bathroom.”
Instead of turning left into the bathroom, I turned right down this hallway and compromised two machines right off the bat. I’m technically successful. But that didn’t matter. Because there was a woman who was in her office. She got on the phone and reported me because she knew I was sketchy. It was awesome.
“She got on the phone and reported me because she knew I was sketchy. It was awesome."
I could have gone to the stairs so I could say I ‘escaped’ and therefore won. But no, that’s not what it’s about. So, I start walking toward the receptionist’s office. The guy who I was there to meet was already coming down the hallway because reception reported that I deviated from the path. There was a camera right above the hallway that she gets to watch. She saw that I went the wrong way.
Throughout that whole engagement, even though I compromised every section, someone stopped me. Someone said “no”.
And that’s including the second day. That night, I went back and I got the cleaning crew to let me in. I broke in and I stole all the lanyards – the green ones and red ones and yellow ones. On the second day, I had a green lanyard because those were cool. But they still questioned me and said “no.” They were like: “I’m not allowed to let anybody plug anything into the computer unless I get an email from the help desk. I didn’t get one. If you don’t mind, I’ll call them and verify. And what’s your name again? So I can see if they know you.”
I validated that their security programs were working because, even though I was successful, I was not successful for more than 15 minutes without someone stopping me.
“We need to stop trying to build defenses as walls. What’s more important is how quickly you can detect and how quickly and effectively you can respond."
Humans make mistakes but if they correct it and someone reports it, you’re dealing with a 15-minute breach versus a five-month breach. That’s important because we can’t prevent things. We need to stop trying to build defenses as walls. What’s more important is how quickly you can detect and how quickly and effectively you can respond. That’s the dealbreaker for a company that’s going to survive a breach or not.
MF: I appreciate you making the time for us today! Is there anywhere that people should go to learn more about you?
JES: My main site is jaysonestreet.com. Places I go: hackeradventures.world. And I live-tweet my life on Twitter.
Tweet about this post