🔖Nah man, humans are just too stůpid. In my country, everyday we got dozens of warnings about text scams and everyday hundreds of people still fall victim. Humans have been getting scammed since the caveman days and they'll still get scammed til eternity, the technology just changes but the scams stay the same. MLM scams today are just modern variations of investment scams in the early 1900s.
Yep - most people think they are excellent judges of character, and when someone acts professional and polite while asking them for a simple innocent favor.... problems occur.
We think Ants are simple creatures. They trust everthing that carries a specific pheromone. In a corporate environment that's a badge and maybe a clipboard :)
almost every person want so act superior or feel superior, so if you act politely and as a newby looking for new things, you most probably are going to bypass a lot of human security because of that, it is something that sadly had happen to me some times i lost myself in a place, i usually end up with the staff at the staff side like a rookie, until they see that i am not of the staff and i am only lost, but at that point i am some steps of their boss, their servers or close/in to some critical building XD.
It’s not necessarily being a bad judge of character. Psychologically, humans inherently want to trust their fellow humans. Unfortunately, that opens the door for people to get taken advantage of.
True, until the attackers get inside. Then they have to get it right each time to not get caught. They just need to make a single mistake to get caught by the blue team
@@basse889990 again still much easier, its not the case that any single mistake will get them alerted. In some environments, monitoring may never pick up the attack happened, and companies only know when the data gets released or sent a ransom (this happens a lot...). Blue team has a much harder job every single time.
That’s not entirely true. Any bigger company will have multiple layers of defence. So you get through one you might get stopped on the next level. It’s usually also just about making it uneconomical to attack you. It’s like bicycle locks. There isn’t a lock that can’t be broken open in a few seconds if you have the right tools. Still if you want to protect your bicycle a bike lock is a very useful tool and if the bike next to you has a shittier lock it’s likely that bike will be stolen before yours.
A pen testing attack vector I heard about recently: the pen testers had set up a booth selling some kind of drink or snack right in front of the target company with a promotional sign: Scan your badge and see if you qualify for a discount! Apparently people were handing over the badge credentials in troves...
His hot take is 100% accurate. Phishing is by far the most popular and effective way to penetrate an environment. It is far more tedious and cumbersome to develop sophisticated malware than it is to get an ignorant person to scan a QR code. If everyone developed basic knowledge on how to identify phishing emails, there would likely be over a 90% reduction in cyber crime out there.
Im so happy seeing someone say this. I've been saying the same thing every time something gets "hacked." i don't even call phishing hacking because it's more like a scam.
Ah you again pretending to know what your talking about. Hot take, huh? This line has been said and has remained true for over 10 years, if anything thinks this is new information you truly have no idea about IT security. (which makes sense give your other inane comments trying to call out other people)
@@benhook1013 yeah I do know what I’m talking about since I hold both CISSP and OSCP. All I did was agree with his statement, but you went on a tangent about “new information”, which I never said it was. I’m guessing you’re just an internet rando “IT security” or sysadmin wannabe who thinks using wireshark makes him Mr Robot? 😂🤡
As a software engineer, you have no idea. It's only getting worse too. Due to the user friendliness of modern day technology (think today's iPhone vs Windows XP) users are required to know less and less about their technology because it "just works". Combine that with the Internet of Things, that so many devices connect to the internet, that even hacking someone's Wifi toaster could be a dangerous exploit in the wrong hands because that gave them access to everything on your network.
99% of people use the same username and passwords for all sites and they don't use two-factor authentication. I'm a computer programmer and a hobbyist hacker and I can into people's Instagram and Facebook accounts. There are professional hackers out there that are 100 times better than me. Yeah that's a scary thought.
@@benoitbvg2888 watch Jayson E Street's DEFCON presentations, as they've said above; many peeps are only looking at the surface level without even properly seeing what's in front of them
@@benoitbvg2888 how much people know what a "penetration tester" do? and how much people only assume that is a thing of informatics wich they do not want to talk?
@sreyashkanjilal4929 Learn I.T. Helpdesk and Networking first. Then pivot into focusing on network security. Security gigs are an "after 5-10 years of experience" career.
@@sreyashkanjilal4929 , nope, that's not a youtube block, I think it's a person removing replies, curious if the channel moderator is removing such posts.
I'm CEH/OSCP myself and I have to say the information that was put out here is awesome. Way to go, and very well articulated. Lots to learn for those willing to - keep it up!
I'm in college for cybersecurity engineering right now and this video was great, this guy explains a lot of these concepts very well for people who aren't familiar with the field
what are the requirements for getting into that field? I understand hardware far better than software, can barely code without using AI, but have thought about it. My local college says you need an degree in IT first, but they don't offer that sadly
@@mattc9598don't worry about the degree nonsense. You can learn software Online. You will be confused at first, but don't worry. Just use online resources.
@@mattc9598 interest in the field, mostly. As long as you're passionate you don't even need university to start as an analyst, I highly recommend researching certificates and requirements and just studying for those.
@mattc9598 what field exactly? It? Engineering? IT is very broad so if you can provide some additional information I may be able to point you in the right direction. What stuff are you interested in?
@@RealWorldMaverick exactly.. you dont really need a degree or even much technical knowledge to get into penetration testing. That is part of it but there are also people that specialize in the social engineering side of things. I would love to get into physical penetration testing. I listen to Darknet Diaries and that side of things honestly seems like a fun job. You are getting paid to get access to buildings and areas you shouldnt have access to.
Talked to a guy in IT connected to banks. The hackers can scope people so well. A CEO had his kid at a school. A major incident happened at that school. Within less than an hour they had sent a very official looking e-mail to the CEO with a link, that they said was for more information about the schools reaction amd which children were affected. So they had scouter the CEO and his family, and set alerts to if media wrote anything about things such as the childs school. Kinda scary
I worked at a high class hotel for some time and had to prepare a report where I wrote everything down I could find on the internet about our guests. You wouldn't believe how much info you get about millionaires/billionaires, just by googling them.
Even as a computer professional, and computer sales person for over 20 years, this video is still quite informative. Take the heart the information this gentleman has posted. It could save you and your company a lot of time.
5:25 - The envelope trick is amazing, that's one I'd not considered before. I try to be as security conscious as possible, but I think I'd have fallen for that.
Yeah stuff like that and the email to the CEO about the conference are very scary. Not falling for random phishing attacks it one thing, but we usually aren't expecting anything that is more targeted.
- im sure that worked like a charm 20 years ago. these days a security camera will ID you dropping a weird envelope on the desk and the FBI will be at your door 5am ready to take you and all your computer crap down to the field office😅
Unless of course company execs don’t want a security cam in their office. IT and the security team might also not want cams in offices on the offchance the system gets compromised and now the intruders get unrestricted access to things they just need to lie low and wait around for. Bonus points if the surveillance system also includes audio.
@spg1794 Not all places that need good security have good security. Don't forget, leaders of companies are people, and people can be extremely stupid. That security breach that happened a few years ago with EA where hundreds of thousands of gamers' personal information was compromised? That was just a series of phone calls to get that information, and six months earlier guys like this dude told the CEO and Board that this was an extremely dangerous flaw, and they did nothing about it.
I’m not in the field of IT and watched this out of curiosity. He explained things so well and I understood a lot more than I thought I would! Really interesting!
I think the reason why email continues to be such an effective vector for attacks is because of the sheer volume of email people receive in a day. Especially in large companies where everyone is copied on everything
That is way too true. And then among all the clutter, someone sends a message about registering on a 3rd party website with your internal password, which you competently identify as an obvious phishing attempt, hah! Only to find out it was actually your boss and he actually wants you to do that and he tells you in person, completely oblivious about everything.
The reason is HTML email, which effectively hides what’s actually in the message data. Links are disguised and lead to bogus sites. Another disaster we can thank Microsoft for.
He's a very well-known name in the space. If you search his name on UA-cam, you will find tons of speaking events that he's done over the years. It'll keep you busy for a while.
One time I had to argue with my manager that the request to provide server credentials to a vendor is 100% a pen-test and I was not going to oblige. We argued for days over it and I did not budge and of course it turns out it was a pen-test. Sadly, this was in an IT department and IT management is pretty clueless when it comes to this and just "want things done".
Not knowing technology is one thing, but people who brag about being computer illiterate is another thing. They lash out at people helping them with security advice. I see it everyday on Reddit; *"I don't need your security advice! I don't believe in this computer mumbo jumbo! I don't believe in all these threats! You people are just being paranoid!".*
This is one of the best of this series, together with Burial Support. 😂 This guy kept me glued to the screen wanting to know more about what he had to say
We have the rule if someone does not lock their laptop and walks away, it's fair game to send "I'll bring cake tomorrow!" in the company wide Slack channel. It's not much, but it's a start of some education about security. And cake.
It’s shocking how many people leave their desktops unlocked. It’s like wearing a seatbelt for me, I don’t feel comfortable until I hit Ctrl L before I leave my desk. Also predictable passwords that they don’t change frequently. The number of “Admin” “admin” server admin accounts I’ve seen is also concerning.
I enjoyed your video. I’m older going back to school at Devry for IT and Networking. At the moment got online classes dealing with Cisco security. The other wire, wireless and optical. There’s so much to learn and it’s getting more interesting as I get deeper into the tech world. I’m still on the surface while getting a solid understanding.
Annual pen testing reminds you it is best to not trust anyone and treat everything as suspicious. This was another good reminder to be careful online. Spear-phishing scares me the most. Some attempts are very hard to spot.
I've been spear phished more than a few times. Some of them are very convincing. It does make me wonder about the security of a platform like LinkedIn in conjunction with the standard first.lastname@companydomain. If email wasn't as easy to guess I think that would decrease phishing attacks of all kinds.
Absolutely true 😂 annual pen testing was the only time I got commended for being grumpy and telling front desk "I'm not expecting anyone, send them away" when red team tried to use me to get physical access to the building under the guise of a visit
Thanks for the blue team love! We love you right back, even if we don't always show it. Also: clipboard + hi-vis vest is also an amazing pen test tool. Bonus points if you have the metal clipboard with storage. And practice a bored, slightly disgruntled (not full on angry) look. 30 bucks at Amazon and a few basic acting chops go a LONG way to getting you into places you shouldn't be.
Never would I ever pick a USB no matter how tempting it feels. Also loved it when asked "how to rob a bank" and he said that he knows but wouldn't tell 😂
Jason has done a talk at Defcon called “Steal Everything, Kill Everyone, Cause Total Financial Ruin!” where he breaks into a building using a piece of cardboard. Cannot recommend it enough.
I'm the opposite. I'd never ignore one and honestly, I'm surprised Jayson said he would. It seems far more plausible he's got a bunch of secure burner laptops he can use to plug them in and find out what other people are trying to hack with.
This has to be one of my favorite Support videos on Wired (the others being Mortician Support and Doc Support). More of this, please! Very educational and enlightening.
I stumbled across an old spy video that had a unique spy gadget hidden in a belt. Even a tool made in the 1930's seemed so technologically advanced. It made me wonder just how crazy the spy/hacker technology must be today. And this video made it clear: it's absolutely crazy.
Out of the best videos I have seen on Wired. I hope to see a second part with that same guy. He is quite clear in the way he speaks and you can also tell he knows quite a lot 😃
Yeah, I felt that one, too. When I was programming back in the day, 'What do you mean I have to document every single line of code?' And don't get me started on flowcharts. I had hair back then, and there were times I was pulling it out. It's all gone now, so who know what caused the baldness. At least my salt and pepper beard is working.
True. What's the most difficult part of a PhD program? Thesis write-up - not the research part of it. I know a few guys who did not complete their doctorates because of it.
If only more concepts were as quick and easy to understand as this was. I’m in cybersecurity wanting to branch out and this was the information I needed before I got started. Thank you
The weakest part of your network is always the human element. Train your people on what to expect, and train them to raise the red flag when something seems at all suspicious. I've been in this industry for 20+ years and even I've had pen testers get through my defenses. It was a valuable lesson: even a professional isn't beyond making mistakes. And it didn't happen again.
Treating them with common decency also helps since they will actually care what happens. You treat them like crap they won't care about their job and so won't take actions as readily if they see something wrong. It becomes a "not my problem" situation.
My job forces us to go through cybersecurity trainings. Not only are they boring, they're poorly designed. This video is miles better than the training we're given, and actually is engaging. Bravo
I was gagged the whole video, this guy is the simultaneously the coolest person in the world and the most dangerous person in the world. Respect him fr
I believe the right thing to do if you catch someone with a "get out of jail free card" is to escort them back to a public area, and wait for the person that will actually release them. However, in a real situation, there is always the threat of violence.
Either that, or call your boss who should be high enough to be able to directly call whoever is apparently responsible for the unknown person. Because as mentioned in the video, the numbers might be false and the answering party might give excuses why they can’t appear in person to validate the intruder, while the person you are detaining is putting pressure on you because you are costing the company precious time and money…
@@halfsourlizard9319 yeah. phones didn't get tossed out in 1966. Or what do you think that little rectangular device in your pocket is meant to be used for?
Currently in college for Cybersecurity and I'm so glad this video came out. Honestly makes me much more excited to study this field more. Also was thinking of going for my masters in this field, is it worth it? I also would get certs along the way
6:40 - sweet now I can use my lack of skills and experience as a way to convince employers that I’m too smart and experienced to just be sharing that information on the internet. The ultimate interview bypass
My favorite breach ever is using part of a plant in the lobby to use to trip the motion sensors on every door. They expected all these technological gadgets and I got in with a nylon plant piece.
A lot of good tools here, we use to make all of our own tools. One thing he didn't mention 95% of the telco rooms are outside the building and once you have access to the MPO/DMARC you have ultimate access to their phones and Internet access.
@@myname-mz3lo Because attacks happen constantly, every single day? I'm not scared personally, but you're talking like crime is a small-time problem. It's big.
i remember there being a thing with apple's calendar. you could inject code when sending a schedule request, this wouldnt be a problem since you need to accept it first. but apparently if you send a schedule request for a date in the past, it automatically puts it in the target's calendar and it could run the code
Working at a company where phishing simulations for all employees are done like a mini-game, with leaderboards and clever traps. Got caught once, been paranoid and vigilant ever since. Best way to learn is to make mistakes thanks to simulations. Surprisingly efficient.
Really well explained video and it's amazing when he breaks down all the various tools he uses and how easy it is to be hacked with any number of those tools.
6:14 #MaxFosh managed to get into the major security convention in Las Vegas, with this trick among others. He wasnt detected. He. Snuck. In. To. A. SECURITY. Convention :D
Wow his analogy of an firewall being compare to a bouncer at a club was great! It was never put to me like that, granted I knew what a firewall was but his comparison makes it easier to understand.
how is it scary ? he hacks companies so that bad people dont .. its reassuring more than anything to know that there are more good hackers than bad ones
It's funny you mention attire. At one point, I had long hair that went halfway down my back. I tested once to see how differently I was treated if I went somewhere dressed in jeans and a T-Shirt, then later with my hair tied back, neat as a pin in a thousand dollar suit. It's incredible the difference in perception and how you're treated. Not to mention the trust afforded you. Nobody even realized I was the same person.
Wearing a delivery, maintenance, or janitor uniform can get you a lot of places too. People tend to not pay attention to laborers. Especially when you get a lazy security person.
"Every employee is part of the security team" -- This is such a good take. I wish I could get my coworkers to understand this.
But how do you motivate completely uninterested employees to learn about IT security? (Assuming management is also just as uninterested.)
I certainly sense no interest assuming management spoke up.
They probably don't get paid enough to care about their normal job, let alone security
@@bpb210It's a culture thing. My team sends out pretty regular phishing tests via email that we send to specific departments, or all employees.
🔖Nah man, humans are just too stůpid. In my country, everyday we got dozens of warnings about text scams and everyday hundreds of people still fall victim. Humans have been getting scammed since the caveman days and they'll still get scammed til eternity, the technology just changes but the scams stay the same. MLM scams today are just modern variations of investment scams in the early 1900s.
Its amazing how much hacking occurs just by asking nicely.
Yep - most people think they are excellent judges of character, and when someone acts professional and polite while asking them for a simple innocent favor.... problems occur.
Not just hacking. A lot of crime is committed that way.
We think Ants are simple creatures. They trust everthing that carries a specific pheromone. In a corporate environment that's a badge and maybe a clipboard :)
almost every person want so act superior or feel superior, so if you act politely and as a newby looking for new things, you most probably are going to bypass a lot of human security because of that, it is something that sadly had happen to me some times i lost myself in a place, i usually end up with the staff at the staff side like a rookie, until they see that i am not of the staff and i am only lost, but at that point i am some steps of their boss, their servers or close/in to some critical building XD.
It’s not necessarily being a bad judge of character. Psychologically, humans inherently want to trust their fellow humans. Unfortunately, that opens the door for people to get taken advantage of.
As has often been said, the defenders (blue team) have to get it right every single time. The attackers (red team) only have to get it right once.
True, until the attackers get inside. Then they have to get it right each time to not get caught. They just need to make a single mistake to get caught by the blue team
@@basse889990 Truth. Makes my job much easier when your average hacker's first thought is "I'll start a cryptominer!".
@@basse889990 facts. But sadly I have often seen that eventho blue teams are able to detect, rapid containment can be incredible hard.
@@basse889990 again still much easier, its not the case that any single mistake will get them alerted. In some environments, monitoring may never pick up the attack happened, and companies only know when the data gets released or sent a ransom (this happens a lot...). Blue team has a much harder job every single time.
That’s not entirely true. Any bigger company will have multiple layers of defence. So you get through one you might get stopped on the next level. It’s usually also just about making it uneconomical to attack you. It’s like bicycle locks. There isn’t a lock that can’t be broken open in a few seconds if you have the right tools. Still if you want to protect your bicycle a bike lock is a very useful tool and if the bike next to you has a shittier lock it’s likely that bike will be stolen before yours.
A pen testing attack vector I heard about recently: the pen testers had set up a booth selling some kind of drink or snack right in front of the target company with a promotional sign: Scan your badge and see if you qualify for a discount!
Apparently people were handing over the badge credentials in troves...
That's an oopsie.
So trust no one.
Roger that
Dang that would be tempting 😂
This guy communicates! Short and concise. Also...Wired...Give your editors a raise. They rule.
Wired Support is one of the best things on the internet. I think everything about it is perfect and I hope they never change it.
He's busy! Got things to do, companies to destroy...
(or help, as this case may be).
Yes this!!
become a CEO before asking other companies to give them the raise.
I think he should do a whole series on how us mere commoners can better protect our S!
Why do all pen-testers look like they were kicked through the Las Vegas strip
great way to describe it lol
through?
Because defcon (big hacking convention) is in las vegas
They were?
A lot of them live in vegas
His hot take is 100% accurate. Phishing is by far the most popular and effective way to penetrate an environment. It is far more tedious and cumbersome to develop sophisticated malware than it is to get an ignorant person to scan a QR code.
If everyone developed basic knowledge on how to identify phishing emails, there would likely be over a 90% reduction in cyber crime out there.
Im so happy seeing someone say this. I've been saying the same thing every time something gets "hacked." i don't even call phishing hacking because it's more like a scam.
Ah you again pretending to know what your talking about. Hot take, huh? This line has been said and has remained true for over 10 years, if anything thinks this is new information you truly have no idea about IT security. (which makes sense give your other inane comments trying to call out other people)
@@benhook1013 yeah I do know what I’m talking about since I hold both CISSP and OSCP. All I did was agree with his statement, but you went on a tangent about “new information”, which I never said it was. I’m guessing you’re just an internet rando “IT security” or sysadmin wannabe who thinks using wireshark makes him Mr Robot? 😂🤡
@@benhook1013 Is your iq low or are you simply ignorant?
Yep, scan a QR code or click a link that says, "Click here to learn how to avoid scams..."
I know Jayson personally, and he’s just an incredible human. So happy to see him here ❤
It always scares me how little we, the average non-tech people, actually know about all this stuff
I didn't understand a single word he said lol
As a software engineer, you have no idea. It's only getting worse too. Due to the user friendliness of modern day technology (think today's iPhone vs Windows XP) users are required to know less and less about their technology because it "just works". Combine that with the Internet of Things, that so many devices connect to the internet, that even hacking someone's Wifi toaster could be a dangerous exploit in the wrong hands because that gave them access to everything on your network.
True. I know the bare minimum but I don't trust much so that helps.
99% of people use the same username and passwords for all sites and they don't use two-factor authentication. I'm a computer programmer and a hobbyist hacker and I can into people's Instagram and Facebook accounts. There are professional hackers out there that are 100 times better than me. Yeah that's a scary thought.
with great power comes great responsibility.
He is not a pen tester, he is a full-blown secret agent.
Ummm, what do you think pen testing is? It's all corporate espionage or defense against it. Secret agent literally by definition.
Agree! The eyebrows give him away...
Bond.. James Bond
This "kind" of hacking is actually called Social Engineering, the reconnaissance part the guy was talking about. Look it up
@@Zevilon05 James Blonde?
I love that his job title on his Microsoft badge is "hacker".
Didn't even look at that, that's hilarious.
@@GeekGamer666 yep, and that's the lesson, most people aren't actually checking.
...but he presents himself as a "penetration tester"...
@@benoitbvg2888 watch Jayson E Street's DEFCON presentations, as they've said above; many peeps are only looking at the surface level without even properly seeing what's in front of them
@@benoitbvg2888 how much people know what a "penetration tester" do? and how much people only assume that is a thing of informatics wich they do not want to talk?
If this guy had an internship or some certification program I would 10000% sign up for his program
There's numerous. I recommend OccupyTheWeb's courses and books. Check out their website
I am a security engineer and I loved every bit of this video.
hey , i really want to know something. Can you tell the process to become a penetration test/ hacker ??
Skillset. Learn as much as you can and get good at it. @@sreyashkanjilal4929
@sreyashkanjilal4929 Learn I.T. Helpdesk and Networking first. Then pivot into focusing on network security.
Security gigs are an "after 5-10 years of experience" career.
Me too! I'm an ethical hacker/pentester
@@sreyashkanjilal4929 , nope, that's not a youtube block, I think it's a person removing replies, curious if the channel moderator is removing such posts.
I'm CEH/OSCP myself and I have to say the information that was put out here is awesome. Way to go, and very well articulated. Lots to learn for those willing to - keep it up!
I'm in college for cybersecurity engineering right now and this video was great, this guy explains a lot of these concepts very well for people who aren't familiar with the field
what are the requirements for getting into that field? I understand hardware far better than software, can barely code without using AI, but have thought about it. My local college says you need an degree in IT first, but they don't offer that sadly
@@mattc9598don't worry about the degree nonsense. You can learn software Online. You will be confused at first, but don't worry. Just use online resources.
@@mattc9598 interest in the field, mostly. As long as you're passionate you don't even need university to start as an analyst, I highly recommend researching certificates and requirements and just studying for those.
@mattc9598 what field exactly? It? Engineering? IT is very broad so if you can provide some additional information I may be able to point you in the right direction. What stuff are you interested in?
@@RealWorldMaverick exactly.. you dont really need a degree or even much technical knowledge to get into penetration testing. That is part of it but there are also people that specialize in the social engineering side of things. I would love to get into physical penetration testing. I listen to Darknet Diaries and that side of things honestly seems like a fun job. You are getting paid to get access to buildings and areas you shouldnt have access to.
More of this guy please. This stuff is so prevalent nowadays
Talked to a guy in IT connected to banks.
The hackers can scope people so well.
A CEO had his kid at a school. A major incident happened at that school. Within less than an hour they had sent a very official looking e-mail to the CEO with a link, that they said was for more information about the schools reaction amd which children were affected.
So they had scouter the CEO and his family, and set alerts to if media wrote anything about things such as the childs school.
Kinda scary
or they played a role in whatever happened
I worked at a high class hotel for some time and had to prepare a report where I wrote everything down I could find on the internet about our guests. You wouldn't believe how much info you get about millionaires/billionaires, just by googling them.
This expert is both the stereotype of a hacker and a counterstereotype of how pop culture imagines a hacker. Love it!
Even as a computer professional, and computer sales person for over 20 years, this video is still quite informative. Take the heart the information this gentleman has posted. It could save you and your company a lot of time.
5:25 - The envelope trick is amazing, that's one I'd not considered before. I try to be as security conscious as possible, but I think I'd have fallen for that.
Yeah stuff like that and the email to the CEO about the conference are very scary. Not falling for random phishing attacks it one thing, but we usually aren't expecting anything that is more targeted.
- im sure that worked like a charm 20 years ago. these days a security camera will ID you dropping a weird envelope on the desk and the FBI will be at your door 5am ready to take you and all your computer crap down to the field office😅
Unless of course company execs don’t want a security cam in their office. IT and the security team might also not want cams in offices on the offchance the system gets compromised and now the intruders get unrestricted access to things they just need to lie low and wait around for. Bonus points if the surveillance system also includes audio.
@spg1794 Not all places that need good security have good security. Don't forget, leaders of companies are people, and people can be extremely stupid. That security breach that happened a few years ago with EA where hundreds of thousands of gamers' personal information was compromised? That was just a series of phone calls to get that information, and six months earlier guys like this dude told the CEO and Board that this was an extremely dangerous flaw, and they did nothing about it.
@@spg1794 even if they do get caught doesn't mean there won't be damages
I’m not in the field of IT and watched this out of curiosity. He explained things so well and I understood a lot more than I thought I would! Really interesting!
I think the reason why email continues to be such an effective vector for attacks is because of the sheer volume of email people receive in a day. Especially in large companies where everyone is copied on everything
That is way too true. And then among all the clutter, someone sends a message about registering on a 3rd party website with your internal password, which you competently identify as an obvious phishing attempt, hah!
Only to find out it was actually your boss and he actually wants you to do that and he tells you in person, completely oblivious about everything.
The reason is HTML email, which effectively hides what’s actually in the message data. Links are disguised and lead to bogus sites. Another disaster we can thank Microsoft for.
De activate all emails. Use Office 360/Teams. It is end to end.
Need more of this! Definitely my favorite speaker and content thus far. Educational and entertaining
This guy is great. I'd love for him to return with more QA!
He's a very well-known name in the space. If you search his name on UA-cam, you will find tons of speaking events that he's done over the years. It'll keep you busy for a while.
Oh man, you right. I'm about to binge right now lol. Thanks, @@johnmiller9931
@@johnmiller9931thx!
Hes done presentations at Defcon, he's very entertaining
WHT is his name
This was spectacular. The way Jayson communicates shows his mastery over the subject
One time I had to argue with my manager that the request to provide server credentials to a vendor is 100% a pen-test and I was not going to oblige. We argued for days over it and I did not budge and of course it turns out it was a pen-test. Sadly, this was in an IT department and IT management is pretty clueless when it comes to this and just "want things done".
You definitely could have rubbed that in their face, great job!
Not knowing technology is one thing, but people who brag about being computer illiterate is another thing. They lash out at people helping them with security advice. I see it everyday on Reddit; *"I don't need your security advice! I don't believe in this computer mumbo jumbo! I don't believe in all these threats! You people are just being paranoid!".*
Did you get promoted?
Is kinda sad and pathetic that some IT managers have 0 knowledge of basic cyber security measures
@@Peacekeeper_84The Jen Barbers of the IT world. People persons.
I'm still amazed on how this guy can articulate all this information for anyone to understand!
I was an IT Security Admin for a big restaurant group. We had to go through PEN testing every year. I don't miss it one bit
hey , i really want to know something. Can you tell the process to become a penetration test/ hacker ??
I don't know how you guys sleep at night having to worry every minute about someone hacking into the systems you need to keep secure.
@@jameslarosa2396 Most of the time, we don't
you have to be really good at researching things on the internet instead of asking people for help thats step one lol@@sreyashkanjilal4929
I like to call it PEN15 testing and throw in as many phallic facsimiles as I can get away with in the report while playing dumb.
This is one of the best of this series, together with Burial Support. 😂
This guy kept me glued to the screen wanting to know more about what he had to say
We have the rule if someone does not lock their laptop and walks away, it's fair game to send "I'll bring cake tomorrow!" in the company wide Slack channel. It's not much, but it's a start of some education about security. And cake.
I was told there would be cake but it was a lie. Taking my stapler was the last straw, so I burned down the building.
Clever! We used to change people's languages.
Ctrl-shift-Right (on Intel integrated graphics machines) is another good one for messing with people who leave their computer signed in.
Same way Rickrolling has been one of the best ways to teach people to be cautious about which links you click.
It’s shocking how many people leave their desktops unlocked. It’s like wearing a seatbelt for me, I don’t feel comfortable until I hit Ctrl L before I leave my desk.
Also predictable passwords that they don’t change frequently. The number of “Admin” “admin” server admin accounts I’ve seen is also concerning.
I enjoyed your video. I’m older going back to school at Devry for IT and Networking. At the moment got online classes dealing with Cisco security. The other wire, wireless and optical. There’s so much to learn and it’s getting more interesting as I get deeper into the tech world. I’m still on the surface while getting a solid understanding.
Annual pen testing reminds you it is best to not trust anyone and treat everything as suspicious. This was another good reminder to be careful online.
Spear-phishing scares me the most. Some attempts are very hard to spot.
People in the security industry tend to express this a bit differently - "trust _BUT VERIFY"._
I've been spear phished more than a few times. Some of them are very convincing. It does make me wonder about the security of a platform like LinkedIn in conjunction with the standard first.lastname@companydomain. If email wasn't as easy to guess I think that would decrease phishing attacks of all kinds.
Phishing has become even more effective now that non-English speaking hackers can leverage LLM such as ChatGPT to write more convincing emails!
Absolutely true 😂 annual pen testing was the only time I got commended for being grumpy and telling front desk "I'm not expecting anyone, send them away" when red team tried to use me to get physical access to the building under the guise of a visit
@@julianakarasawa315 They're probably going to treat that as a competition for you guys haha
As a penetration tester, I can confirm this is solid information. Good high-level answers to every question.
High level answers explained in low level vocabulary as well.
This video is genuinely hilarious yet fascinating at the same time.
I think you spelled 'terrifying' wrong...
Please have him back on.
Thanks for the blue team love! We love you right back, even if we don't always show it.
Also: clipboard + hi-vis vest is also an amazing pen test tool. Bonus points if you have the metal clipboard with storage. And practice a bored, slightly disgruntled (not full on angry) look. 30 bucks at Amazon and a few basic acting chops go a LONG way to getting you into places you shouldn't be.
just go ahead and credit Deviant Ollam, please
That’s real. Go Blue Team!
He knows who pays the bill.
@@error.418 sure, why not, even though I've done this as far back as the 1980s and I'm not the first to do it.
@@iagmusicandflying Some people are too young to realize not everything originates on the the internet lol.
Jayson Street has an incredible DEFCON speech on penetration testing.. i highly recommend watching it
Never would I ever pick a USB no matter how tempting it feels. Also loved it when asked "how to rob a bank" and he said that he knows but wouldn't tell 😂
Jason has done a talk at Defcon called “Steal Everything, Kill Everyone, Cause Total Financial Ruin!” where he breaks into a building using a piece of cardboard. Cannot recommend it enough.
I'm the opposite. I'd never ignore one and honestly, I'm surprised Jayson said he would. It seems far more plausible he's got a bunch of secure burner laptops he can use to plug them in and find out what other people are trying to hack with.
@@smnsmnsmn he's also gone on the Darknet Diaries podcast, Ep. 6
cause he doesn't know. it's much easier to rob a armored vehicle than it is to rob a bank.
Finally! A cybersecurity expert that we deserve!
I don’t know how you find these people but keep it up. Such great communication with so much to learn
he is verry famous and does conferences and talks all the time .
Google "Who is the number one expert in the field that I'm interested in" and then hire them.
he's given about 1000 talks at DEFCON
whats defcon?@@error.418
@@ruk2023-- more like "who is the most influential?", because they sure don't bring Magnus Carlsen to talk about Chess, but they bring GothamChess
This has to be one of my favorite Support videos on Wired (the others being Mortician Support and Doc Support). More of this, please! Very educational and enlightening.
I’ve been a fan for a long time, read his book during my undergraduate studies. Clear, concise, and to the point.
How come your YT is verified with only 517 subs ?
I stumbled across an old spy video that had a unique spy gadget hidden in a belt. Even a tool made in the 1930's seemed so technologically advanced. It made me wonder just how crazy the spy/hacker technology must be today.
And this video made it clear: it's absolutely crazy.
Out of the best videos I have seen on Wired. I hope to see a second part with that same guy. He is quite clear in the way he speaks and you can also tell he knows quite a lot 😃
As someone that works with InfoSec regularly, this guy is spot on. Thanks for this video, Wired.
Your comment that, Every employee is part of the security team, is something that will always be embedded in me now, thank you so much
I’ve been an infosec pro for 20+ years, this guy was great.
3:19 He's being real here 😂😂😂
Report & documentation is the most challenging part of any job.
Yeah, I felt that one, too. When I was programming back in the day, 'What do you mean I have to document every single line of code?' And don't get me started on flowcharts. I had hair back then, and there were times I was pulling it out. It's all gone now, so who know what caused the baldness. At least my salt and pepper beard is working.
True. What's the most difficult part of a PhD program? Thesis write-up - not the research part of it. I know a few guys who did not complete their doctorates because of it.
@@bikenyThankfully the "document every line of code" is a bit less common now, but there is plenty of other things that are difficult to get through.
I hate writing reports man. Most boring part of hacking.
The biggest security hole sits in front of a monitor
the social engineering god himself. best talks of all time were done by this OG
Please bring this guy back frormore interviews. super interesting and a great speaker.
Please bring this guy back for multiple sessions! He's a great communicator with a lot of interesting insight and legit experience in cybsersecurity!
If only more concepts were as quick and easy to understand as this was. I’m in cybersecurity wanting to branch out and this was the information I needed before I got started. Thank you
this info is available everywhere online lookup network chuck or david bombal
one of the best Wired "___" Support videos ever
The weakest part of your network is always the human element. Train your people on what to expect, and train them to raise the red flag when something seems at all suspicious.
I've been in this industry for 20+ years and even I've had pen testers get through my defenses. It was a valuable lesson: even a professional isn't beyond making mistakes. And it didn't happen again.
Treating them with common decency also helps since they will actually care what happens. You treat them like crap they won't care about their job and so won't take actions as readily if they see something wrong. It becomes a "not my problem" situation.
@@l33tninja1 100% !! Respecting your people is a must.
My job forces us to go through cybersecurity trainings. Not only are they boring, they're poorly designed. This video is miles better than the training we're given, and actually is engaging. Bravo
as a security tech, it feels almost illegal releasing this video lol.
The bad guys already know the tricks anyway. This is serving as education so other people know what to be wary of.
of course, was more of a joke. But lots about this video easily entices the wrong crowd @@XSemperIdem5
I was gagged the whole video, this guy is the simultaneously the coolest person in the world and the most dangerous person in the world. Respect him fr
I believe the right thing to do if you catch someone with a "get out of jail free card" is to escort them back to a public area, and wait for the person that will actually release them. However, in a real situation, there is always the threat of violence.
Either that, or call your boss who should be high enough to be able to directly call whoever is apparently responsible for the unknown person.
Because as mentioned in the video, the numbers might be false and the answering party might give excuses why they can’t appear in person to validate the intruder, while the person you are detaining is putting pressure on you because you are costing the company precious time and money…
Call people?! Is it 1965 or something?!
@@halfsourlizard9319 yeah. phones didn't get tossed out in 1966.
Or what do you think that little rectangular device in your pocket is meant to be used for?
This guys still straight up in 2000 and I dig it
This is one of the scariest things I’ve seen about the times we live in!😳
ethical hackers hack so you dont get hacked if anything this is reassuring to know that there are more people like him than bad hackers out there .
Currently in college for Cybersecurity and I'm so glad this video came out. Honestly makes me much more excited to study this field more. Also was thinking of going for my masters in this field, is it worth it? I also would get certs along the way
absolutely
This video is so concise, clear and relevant, that it really needs a 2nd part
Google him, his talks are not usually so technical.
@@aetch77 Thanks, will do
WE NEED MORE JAYSON VIDEOS PLEASE
When he said "kitty pictures," I thought he meant something completely different. Big sigh of relief when I saw it spelled.
I'm a Security Culture Manager, and I'm so glad he said what he did about investing more in people. Spot on!
Im not even a pen tester or "hacker" but I've always enjoyed Jayson Street's talks.
Lmao, a USB audit 😂
6:40 - sweet now I can use my lack of skills and experience as a way to convince employers that I’m too smart and experienced to just be sharing that information on the internet. The ultimate interview bypass
I did learn something important ... don't mess with a skilled IT person . Be well .
My favorite breach ever is using part of a plant in the lobby to use to trip the motion sensors on every door. They expected all these technological gadgets and I got in with a nylon plant piece.
You coulda just said you’re the new florist and delivering flowers.
A lot of good tools here, we use to make all of our own tools. One thing he didn't mention 95% of the telco rooms are outside the building and once you have access to the MPO/DMARC you have ultimate access to their phones and Internet access.
Glad to see someone preaching employee training on how to spot social engineering and email phishing attacks. Preach on, brother. 🙌
'Penetration Testing' sounds crazy💀
It's hard for a lot of IT professionals to be able to explain these type of things to people that have zero knowledge and he does that extremely well.
If you're not already, you would make a wonderful instructor.
He does talks at a ton of cybersecurity conferences.
So far this is the best training video that I ever since to raise security awareness for workers.
The expert, Jayson E. Street is a great communicator. Check out his talks, there's tons.
I’ve never seen a more perfect example of the “I’m a penetration tester” uniform. This man must be the leader of all penetration testers.
Very cool and scary at the same time. Thank you
he is making things safer how is it scary lol ??
@@myname-mz3lo Because attacks happen constantly, every single day? I'm not scared personally, but you're talking like crime is a small-time problem. It's big.
@@myname-mz3lo its scary how few things you need to break into such high systems.
nah bro this man humbling every single company he's been hired by 😭😭
i remember there being a thing with apple's calendar. you could inject code when sending a schedule request, this wouldnt be a problem since you need to accept it first. but apparently if you send a schedule request for a date in the past, it automatically puts it in the target's calendar and it could run the code
8:15 Savage
Give this guy a show!
Question starts at 8:55
Working at a company where phishing simulations for all employees are done like a mini-game, with leaderboards and clever traps.
Got caught once, been paranoid and vigilant ever since. Best way to learn is to make mistakes thanks to simulations. Surprisingly efficient.
Really well explained video and it's amazing when he breaks down all the various tools he uses and how easy it is to be hacked with any number of those tools.
8:10 bro paid to find the weakest link only to find out its him.
This guy is cooler than I’ll ever be. So many gadgets I had no clue
6:14 #MaxFosh managed to get into the major security convention in Las Vegas, with this trick among others. He wasnt detected. He. Snuck. In. To. A. SECURITY. Convention :D
This guy is dangerous. I'm glad he's on our side.
Making computer hacking interesting is no small task. I love his firewall analogy.
Wow his analogy of an firewall being compare to a bouncer at a club was great! It was never put to me like that, granted I knew what a firewall was but his comparison makes it easier to understand.
love how they still call it twitter, nobody wants to call it X lmaoo
It's incredible how far "sounding like you're supposed to be there" can get you places
Awesome guy (you instantly feelhis passion about what he is doing) I love listening to him eventough its kinda scary !
how is it scary ? he hacks companies so that bad people dont .. its reassuring more than anything to know that there are more good hackers than bad ones
@@myname-mz3lo it's scary how easy some tricks are and how vulnerable everyone is.
Mr. Jayson such amazing person to deliver the dangerous things that can be happen
Penetration Tester... They gotta figure out a new name for that profession.
We gotta ban any word that people choose to sexualize now? Penetration testing is the best description of what they're doing.
I personally like it better than "Hacker"
"Vulnerability documenter" just doesn't have the same ring to it.
How about “Penetrator”?
wait
Well, at least it's true, you test to see if you can penetrate computers. I prefer 'ethical hacker' or 'cybersecurity analyst' more though
It's funny you mention attire. At one point, I had long hair that went halfway down my back. I tested once to see how differently I was treated if I went somewhere dressed in jeans and a T-Shirt, then later with my hair tied back, neat as a pin in a thousand dollar suit. It's incredible the difference in perception and how you're treated. Not to mention the trust afforded you. Nobody even realized I was the same person.
Wearing a delivery, maintenance, or janitor uniform can get you a lot of places too. People tend to not pay attention to laborers.
Especially when you get a lazy security person.
That's what she said
Lol
Good job Jayson! Hope to see you on more of these videos! Very informative.