Jayson Street - I PWN thee I PWN thee not - DEF CON 27 Social Engineering Village
Vložit
- čas přidán 13. 09. 2024
- Attackers love it when defenses fail. Implementing defenses without properly understanding the risks and threats is usually a waste of money and resources. This is a frank discussion of what control failures an attacker looks for when attempting to breach an enterprise, as well as how an effective control can help prevent an attacker from being successful. Jayson will walk through real-world scenarios that have led to successful compromise of different companies through control failures. He will also give detailed analysis of controls that led to his attacks being effectively thwarted. Learn how to understand and assess real-world risks, as well as simple defenses which can be implemented to better protect your organization.
Jayson Street: @jaysonstreet
Jayson E. Street is an author of the “Dissecting the hack: Series”. Also the DEF CON Groups Global Ambassador. Plus the VP of InfoSec for SphereNY. He has also spoken at DEF CON, DerbyCon, GRRCon and at several other ‘CONs and colleges on a variety of Information Security subjects.
*He was a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.
I’m always on the lookout for Jayson, wherever I go.
That is the exact opposite of his point.
Jayson Street should make a shirt that says "Remember the kittens"
Another great talk by the king of awkward hugs. Thanks Jayson.
Watched the d18 and d19 talks. Then this one. I feel like he is at the point where he really really wishes his advice would be heeded more often and it's not as fun as it used to be.
Also, he was right about #newbadge
2:23 "If he approaches you, toss a bag of oreos at him and run. The oreos will distract him."
40:00 reminds me of something one of my college profs said "no one remembers the name of a bridge builder unless it falls down"
quiz nos what did he teach?
@@sketchyAnalogies one of my ECE classes. Also said "in electrics you do wrong, things go boom, everyone dies"
He was very strict about pass fail, no partial credit AT ALL.
"Grades like my class. Digital."
quiz nos holy moly. I’m actually a EE student. I’m really interested in infosec and physical security as a hobby and a cool thing to understand, but my real passion is with EE. My goal is to design control systems for Walt Disney Imagineering, it perhaps another company.
Brilliant
One of my all time favorite speakers!
Same 👍
16:50 - "Hi, my name is Werner Brandes, my voice is my passport, verify me" love the Sneakers reference.
He just got on the F.B.I.'s most meanie list.
Someone gives this talk every year … and nothing ever changes. 😡
You can't fix stupidity. Apathy is also hard to fix. Both are the roots of social engineering.
@Duncan Murphy I literally stopped my 74 year old mother from getting scammed just 3 days ago when I overheard her talking on the phone and saying, quite timidly, "Ok, I'll have to grab my laptop from the other room…". Everything I've said to her, over years and years, just went out the window.
"Mom, he wasn't from MasterCard because they won't make you login to your computer and web banking, remember?"
"Well, he sounded pretty serious."
Aargh!😖
Couldn't keep him on the line long enough to get a VPC trap ready for him, unfortunately.😔
To be fair, there are always new people. By definition, it's an endless battle and this kind of talk is always going to be necessary. People don't learn stuff from nowhere.
That said, the thing with your mom is pretty bad.
Its frustrating, but I think Jayson made a good point with gameification and personalizing the lessons. If an employee knows to click the boxes on the survey every year that you send out, but only apply that to a survey, and they're clicking on links in emails, we're the ones failing the employees by not educating them, not the employees failure to not inherently know all of the tricks the bad actors use.
The military drills its soldiers so they will act on instinct, sports teams drill their players to act on instinct. We need to drill our employees so they too will act on instinct. And yes those first few drills will make you want to drive your hand through your forehead with the amount of facepalming you do. You will lose faith in all of humanity with that first group of drills. But you keep drilling, you keep reeducating, you keep teaching. Put out the game, give them a little reward, and you start seeing that instinctual behaviour.
Jayson gave a talk about bank employees once. He said that if someone came into a bank in a black ski mask and an uzi, everyone would know what to do. There's that instinct. They know what to do in specific circumstances. The instinct is already there. Its our job to educate, to drill, to hone that instinct to the point where they dont have to think anymore. They act. And they act correctly. And then dont stop drilling once you get the behaviour that you want. You keep drilling, keep honing the instinct so that if something bad does come down the pipe, your users are a part of your security team.
@@burningisisconsidering how little shit's people seem to give and how much people seem to give about random small thing's, chances are that this wont happen my friend. Your points valid and does provide some solution with examples, but companies implementing these things is not looking likely to happen
Always love a Jayson talk
He sounds extra pissed tho
He looks so differnt without the mohawk but his voice is so distinguishable
I fking love Jayson Street
Jayson "It's like" Street
victi- uh, targ- uh, *clients*
I'm not a sysadmin, and I feel guilty
first comment: the awkward hug level of Jayson Street is far exceeding 9000
TF? TSA confiscated everything more dangerous than toothpics from me.
What i got from this is if you need to protect your information hire a Russian.
get a drink madman your voice gets way to raspy
What is the way to raspy, and why would you go there?
LOL it's kinda sick
@@slappy8941 wow you're so smart for recognizing a grammar mistake.
I bet you try your best every day to make everyone else think you're smarter than you are
@@9393jack it was pretty funny
He needs more diet coke
20:00
I was literally almost, innocently shot after being let through by pier(ECP) gate security let me drive my public 96 "tactical (according to reporting rover)" Jeep Grand Cherokee to retrieve some lines to be spliced on a neighboring ship who frankly.. didnt gaf if we drove up on the pier. Yeahhh Circa 2013 Navy bitches!!!!!!!!!
@@asperbergers7136 based
This guy is going to lose his voice completely.
I'm okay with that.
I've been looking for this jerk, I hand him my company on a silver plater and he goes and wrecks my spoke spot!😡😡😡😂🤣
Cool talk, but can we at least agree that mandatory password reset policies are bullshit and hurt security more than they help? Just another way to guarantee employees either use an easy password, write it down somewhere, or both.
I don't drink because I'm too coked out
Cocaine is nature's pep talk.
Epik
Actually, usually "Pepsi Max'd" when it comes to Jayson 😝
you can't smiley emoji in notepad
he meant ":)"
It's hard to listen to him scream into the mic. His early talks were really entertaining, but I guess over the years hearing that voice yell about how dumb people are gets kind of old and annoying.
1000 points for bloodninja reference!!! omfg!!! bloddninja!!!!
Oh I like that Baby. I put on my robe and wizard hat.
Firing an employee over clicking a bullshit link solicited from inside the company is fucked.
The rest of your talk was great! Firing is the lazy managers answer ; Nearly everyone can be trained for basic AI tasks
Most places have a number of strikes, at least.
But if you can't detect a phishing link, whether from inside the company or out (and the real ones may be internal, too), you're a liability to the business.
He's just shouting the same thing over and over.
I guess every 9years they repeat this speech 😆
like almost every "hacker" at those cons this guy wastes half of the talk bragging about how stelathy and good they are "you don't want me inside your company with my skillz"
and the other half with a tiny bit of information sprinkled with more bragging.
I think you missed the point with his talk with like a mile or so. Maybe watch it again and actually listen.
Well they would never have become computer nerds if they had learned social skills.
And they never point out the one thing that actually makes them successful: not having the fear of getting caught. Anyone can play off some goofy scheme to hack you if there's no fear. Go in to a place for REAL and try this stupid shit, where if you get caught, you're going to jail. I guarantee you won't just be hangin out in the breakroom, calmly drinkin' a glass of water.
@@forge20 did you really listen? A massive majority of his talk was directed at insider threats (intentional and not), testing your security products to make sure your solutions work as intended and more. Yeah he hits on social engineering. But the point is if someone like him can skip on through, anyone with half a brain and some decent social skills will own companies.
If what he is giving is useless information, why is it these basics are ignored at many companies and year after year you hear about breaches or stupid shit like plain text passwords, unpatched systems, or dumb employees opening shifty emails.
This needs to be drilled into everyone heads and it's why he and others harp over it over and over and talk about why they own people's shit. Because it's litterally child's play if youre more than halfway motivated and with a bit of skill.
Dude, he addresses this very issue in this talk czcams.com/video/l1OFH_H8PjQ/video.html
Jayson is awesome, and I've had the pleasure of meeting him a few times too 👍
"My badge was just printed on paper" yeah we used to do this where I worked too ... worked great as long as you were actually an employee. If you weren't, security spotted you right away. And that's the problem with 90% of these "hacks".
Jayson would have almost 100% been able to break in to your company.
This was one small example of thousands, and you are WAY over-generalising by saying "these 'hacks'".