[HN Gopher] The Beirut Bank Job (2017)
___________________________________________________________________
The Beirut Bank Job (2017)
Author : mleonhard
Score : 258 points
Date : 2021-02-21 09:54 UTC (13 hours ago)
(HTM) web link (darknetdiaries.com)
(TXT) w3m dump (darknetdiaries.com)
| dqv wrote:
| I loved this one especially because of the foreshadowing where he
| almost targets the wrong bank the first day.
|
| Tons of great episodes on this podcast. It's really a treasure.
| pottertheotter wrote:
| I listen to a lot of podcasts, but this may be the one I get
| most excited about when a new episode comes out.
| chris_wot wrote:
| Same here. When my finances stabilise I'm going to contribute
| to his Patreon account.
| kylegordon wrote:
| Where does it say he was in the wrong bank?
| jbj wrote:
| His second anecdote; after drinking too much soda pop, being
| distracted by looking for a bathroom.
| wrboyce wrote:
| > JASON: I accidentally robbed the wrong bank the last time I
| was in Beirut.
|
| Right there in the article/podcast.
| mckirk wrote:
| I found this story yesterday and was quite confused as well,
| because in the YouTube video of him telling the story that they
| link, he just leaves that part out. But in the audio at the top
| of the page (and the transcript), he explains it.
| edent wrote:
| It doesn't. He walked up to the door of the wrong bank and his
| driver alerted him.
| macintux wrote:
| That's a different incident. There's another, much more
| serious wrong-bank story near the end of the interview.
| taspeotis wrote:
| My wife just shared this podcast with me. That's in the first
| two-thirds - the last third is where he breaks in to the
| wrong bank.
| radmuzom wrote:
| It is covered if you hear the full podcast episode.
| Coincidentally, I heard the episode only last week and was one
| of my favourite episodes from this podcast so far.
| hexo wrote:
| Blank page again.
| hexo wrote:
| I wonder what kind of people downvote this... :D
| sodality2 wrote:
| Enabling JS worked for me
| jwilk wrote:
| Disable CSS or use reader mode.
| chrisandchris wrote:
| Here too. Annoying how websites do not work at all if you have
| some basic tracking blocker enabled.
| trollied wrote:
| This is another great Darknet Diaries episode:
| https://darknetdiaries.com/episode/59/ The Courthouse.
|
| You may have seen it in the news just over a year ago. Basically,
| what happens when a physical pentest goes wrong....
| gluser wrote:
| This is like gitlab devs deleting the prod DB thinking it's dev
| DB
| xwdv wrote:
| Reminds me of the dev who deleted the production DB and all its
| backups thinking it was dev just to save space and lower the
| monthly spending.
| raesene9 wrote:
| It's quite possible in pentesting to end up hitting the wrong
| target unless you're careful.
|
| Not as extreme as this case but, I've had cases where customers
| gave me the wrong IP address range for external work in the past,
| or where the customer had been told they had a dedicated server,
| when their web hosting company had actually put them on a shared
| host.
| Aachen wrote:
| Yep, this. Or the team that arranges the contract (what to
| test, when to test it) typos the IPs (or misses a digit when
| copying or so).
|
| To avoid that, in the larger orga I worked for we had a
| checklist for the morning-of: check signature on
| indemnification agreement, run a WHOIS on the provided IPs and
| domains. Fewer and fewer people have their own v4 ranges, but
| the companies that pay our rates are typically large enough to
| still have it. If not, they had to tell us in advance whom we
| should expect it to be hosted with.
|
| The team that has initial contact also checks, but we were
| supposed to double check anyway and it was a good thing, too.
| Getting caught hacking another company is not a situation you
| want or be in as a security company.
| [deleted]
| sokoloff wrote:
| Pen-testing BOGO special: Buy One; Get One FREE!
| Zenst wrote:
| Actually had similar experience pen-testing a large financial
| institution. Was plotted up in their training room and was circa
| late 90's and I had a boot floppy distro (TRINUX iirc) which had
| the tools I wanted (tcpdump, nmap...). So quickly turned a
| training PC into my terminal of choice and mapping the network
| out and came across an AS/400. Quickly dug out my notes upon such
| beasts and turned out that the shipping default accounts had not
| been disabled and was quickly in. Having a look about it turned
| out very quickly to be a financial system that had nothing to do
| with the client. Actually seemed to be a case of the system was
| sharing data and a college of mine soon pointed out that this
| stunk at not only a security level but more importantly the
| financial services regulation. We did the report and that whole
| aspect got swept under the carpet and I was never asked back to
| that clients site ever again.
|
| That's not the worst story of security within a financial service
| company/bank I've experienced but sure did start to open my eye's
| how interlocked some companies are with others who you would not
| expect for numerous reasons.
|
| I will say that if you do find yourself in places you wasn't
| expecting, you do notice and notice pretty quickly and raise
| questions, also you start to become more mindful - "how easy
| would it be to social engineer penetration testers to break into
| a bank for you", it's a thought and more so as they would just
| need to engineer management to task you such a job. Not aware of
| that happening, but can easily see how that could be
| orchestrated.
| rebuilder wrote:
| >they would just need to engineer management to task you such a
| job.
|
| I like the idea of social engineering management into hiring
| pen testers... How large a shadow organization could
| conceivably remain undetected on the payrolls of a large
| corporation, I wonder.
|
| There's a short story in there somewhere, at the very least.
| coldtea wrote:
| > _We did the report and that whole aspect got swept under the
| carpet and I was never asked back to that clients site ever
| again._
|
| You should have pushed for the opposite, doing the ocassional
| pentest to the client for life, in exchange for being mum about
| it.
| texasbigdata wrote:
| Here's a contra view.
|
| If you had a back bone as a consultant your period 2 report
| would start with "unresolved issues from last time", so you
| would very quickly have to resign due to your ethical
| baseline not being met. Therefore same outcome.
| coldtea wrote:
| > _have to resign due to your ethical baseline not being
| met_
|
| Huh? Your job is to point to issues, not to ensure they're
| resolved.
| NullPrefix wrote:
| >and I was never asked back to that clients site ever again.
|
| Award for excellence in pentesting.
| Aachen wrote:
| Some companies need to be tested for legal reasons or because
| the parent company requires it. It's often easy to tell when
| you're dealing with one of those from the details being
| incomplete or coming in late (like get the API docs 7 days
| into the 5-day test - so we basically didn't test, but we
| still have to bill the reserved time), but if it's unclear,
| being a little too happy with an empty report and inviting us
| to test another thing is another tell-tale.
|
| Well, the report is never empty but in general it's not as if
| you always hit jackpot, sometimes there's a very small attack
| surface in a black box test (or if it's a black box because
| your account credentials are still not arranged...),
| sometimes there's a mostly default install of something and
| that's secure by default because a lot of people already
| looked at the project, or sometimes they just did a good job.
|
| Not being invited back can be more than one thing.
| Embarrassing the company is one of the most effective way of
| losing clients, though. It also doesn't help get issues fixed
| because the manager will prioritize saving face over anything
| else, including protecting assets.
|
| If you enable them to protect assets without looking bad
| using good communication... that manager will want you for
| every test.
| anonleb4 wrote:
| Much less impressive when you know the guy works for the cousin
| of the bank owner, which is part of a mafioso family. This was
| staged as a PR move for the security firm of the cousin of the
| bankowner.
| saghm wrote:
| Do you have a source for this? I'm genuinely curious
| everyone wrote:
| In this video https://youtu.be/UpX70KxGiVo The running theme
| seems to be: omg its so easy to just walk in these places and rob
| them, the employees just let me in.
|
| That seems an unremarkable assertion to me.
|
| Do these corporations want all their employees to act as their
| private security force and secret police? I think most employees
| (rightly) dont give a shit if the company suffers. When it does
| well they dont get rewarded. They just gotta work somewhere so
| they can pay the rent and get food.
|
| Your employer has the power to make you do all sorts of things.
| But they cant make you care.
| itronitron wrote:
| In my experience, employers regularly exercise their power to
| make their employees not care. At best this is driven by a
| desire to limit the organization's liability, for example
| disciplining non-janitorial employees from picking up litter
| because they are afraid of lawsuits if someone throws out their
| back at work.
| Debug_Overload wrote:
| The narrating is really annoying. Just let the guy talk, goddamn.
| peterkelly wrote:
| The wrong bank story is at 18:20 onwards in the podcast.
|
| In the transcript, search for "A few years pass. Jason gets
| another call for another security awareness engagement" and read
| from there.
| Clewza313 wrote:
| The rest of the story is pretty amazing too.
| justinclift wrote:
| The full text transcript is here:
| https://darknetdiaries.com/transcript/6/
| SloopJon wrote:
| Thank you. I love this bit at the end of a successful
| demonstration:
|
| > [The bank manager] raised his hand during this whole all-
| hands meeting and he says what about the free computers? Do we
| still get the new computers? I'm like no, I was lying to you.
| I'm a horrible person.
|
| And this one after getting caught at the wrong bank:
|
| > He calls the guy who hired us to rob the bank. They start
| talking and halfway through the conversation he literally says
| do we have to split the cost for this? At that point I realized
| it was probably going to be okay.
| _trampeltier wrote:
| Memorys, in my young year as an electrician, our boss told us to
| go to a bank. We would have to install a whole new telephone
| installation. So we went to the bank, the lady on the front desk
| said, "yes I heard something about new telephones" and opened the
| door for us. About one hour later, we already started to work,
| the boss from the bank came and told us what we are doing,
| because they did not decide until know, what company the work
| would do .. so we left and guess what .. our company did not got
| the contract for the work :-)
___________________________________________________________________
(page generated 2021-02-21 23:01 UTC)