How I Broke into Washington States Marijuana Money Mantrap
At the time, I was working as a security consultant for a large Managed Service Provider, and we were given a contract to upgrade networking and security for an organization within the state government of the State of Washington. We worked on this project for about three days, installing various networking equipment, Cisco mainly, when my partner noticed something: there was a small mantrap room with a big hulking security guard standing in front of it. He also saw men from an armored security company bringing in huge black rectangular duffle bags every few minutes. This was right when I-502 was passed (Washington State's Legal Marijuana Initiative), and we knew these bags were full of money. At the time (and still probably to this day), the money was just being collected and stored due to Marijuana still being federally illegal.
My partner and I looked at each other, and a lightbulb went off in my head; “I bet I can get in that room!” I told my partner as much and then started to formulate my plan. Since we were already wearing business casual clothes, we figured we were good to go. We also each had portfolio-style clipboards with us for notetaking. Additionally, each of the network items we installed came with a bill of sale and an inventory checklist, so we also had those on us. Since we had access to the networking closets, I did some digging and noticed that the state subcontracted a small local security vendor for their door and camera systems. That’s all I needed, and I sprang into action.
I went up to the big, hulking security guard. I was nervous and probably sweating like crazy. But I went up and said, “Hi, I am Jim from Jim's Security (not the real vendor, obviously), and I am doing an inventory on surveillance equipment. I need to see the serial number on that security camera in the mantrap.” The security guard looked me up and down, and after what felt like an hour, he said, “No worries, here you go!” And he let me right in. From that point, I was in a room with billions in cash. I walked up to the camera in the room, turned my phone on to video, and recorded myself in the room with the money. The security guard had no idea what was going on. When I was done, I walked out, and we left.
My partner and I looked at each other, and a lightbulb went off in my head; “I bet I can get in that room!” I told my partner as much and then started to formulate my plan. Since we were already wearing business casual clothes, we figured we were good to go. We also each had portfolio-style clipboards with us for notetaking. Additionally, each of the network items we installed came with a bill of sale and an inventory checklist, so we also had those on us. Since we had access to the networking closets, I did some digging and noticed that the state subcontracted a small local security vendor for their door and camera systems. That’s all I needed, and I sprang into action.
I went up to the big, hulking security guard. I was nervous and probably sweating like crazy. But I went up and said, “Hi, I am Jim from Jim's Security (not the real vendor, obviously), and I am doing an inventory on surveillance equipment. I need to see the serial number on that security camera in the mantrap.” The security guard looked me up and down, and after what felt like an hour, he said, “No worries, here you go!” And he let me right in. From that point, I was in a room with billions in cash. I walked up to the camera in the room, turned my phone on to video, and recorded myself in the room with the money. The security guard had no idea what was going on. When I was done, I walked out, and we left.
How I “Broke” into the Pharmacy of one of the World’s Largest Retailers
In 2016, I had a contract to test the protocols and redesign the networking and security in one of the world's most significant retailers' pharmacy sections. Part of this task was looking for security holes and pointing them out. Before we did anything, we did some reconnaissance of the company. On day one, we saw that they used a substantial national Managed Service Provider to do most of their work. So, with this information, we went to work. My partner at the time had an older CD800 card printer. So we looked at the MSPs website, grabbed some logos, and did two things: first, we printed ID badges that looked official enough not to get flagged, and second, we designed a Letter of Intent and Letter of Authorization specifying that we had escorted access to the pharmacy during non-business hours.
The next day, around 6 am, we went to the store and tested our plan. We walked up to the Customer Service desk and said we were with XYZ MSP and were working on a network overhaul of the pharmacy. Since this retailer is enormous, the shift turnover could have been better. So, there was no questioning of intent or credentials. The shift supervisor connected us with a staff member with access to the pharmacy. This was the easy part, as they were to escort us into the pharmacy and monitor our every move, as the Letter of Authorization stated.
When we entered the pharmacy, we went to the computers and pretended to do some work. They were locked with that company's proprietary software, so we were stuck there. While my partner beat away at passwords trying to get into the computer, I walked back to "look at the switch" and noticed the narcotics storage. These are usually locked storage containers that the pharmacist must unlock and only remain unlocked for a certain amount of time. But this was all we needed! I quickly snapped a picture of the narcotics storage container and returned to the counter to see that my partner was still messing with the computer.
To continue the exploitation, we told the escort that they changed the Password of the Day on us, probably at headquarters, and we didn't get the update. So, the escort just rolled their eyes and let us continue. My partner moved to one of the unlocked computers from the back and popped in a boot disk. I am pretty sure we were using the Hirens Boot CD or something with a file explorer at that time, but he used the file explorer and performed the SETHC exploit. Once he finished, he rebooted and changed the administrative password, and we were now on the computer with unrestricted access. We also were able to gain access to the entire store's infrastructure because they allowed local admins to have that level of access. Unfortunately, we were blocked with a login page when we tried to launch the pharmacy software. Since this was a well-known type of pharmacy software on a known vulnerable release, we were positive there was a way to break in. Since we were restricted by time and scope, we did not attempt to gain access, but we did take pictures and document our findings.
The next day, around 6 am, we went to the store and tested our plan. We walked up to the Customer Service desk and said we were with XYZ MSP and were working on a network overhaul of the pharmacy. Since this retailer is enormous, the shift turnover could have been better. So, there was no questioning of intent or credentials. The shift supervisor connected us with a staff member with access to the pharmacy. This was the easy part, as they were to escort us into the pharmacy and monitor our every move, as the Letter of Authorization stated.
When we entered the pharmacy, we went to the computers and pretended to do some work. They were locked with that company's proprietary software, so we were stuck there. While my partner beat away at passwords trying to get into the computer, I walked back to "look at the switch" and noticed the narcotics storage. These are usually locked storage containers that the pharmacist must unlock and only remain unlocked for a certain amount of time. But this was all we needed! I quickly snapped a picture of the narcotics storage container and returned to the counter to see that my partner was still messing with the computer.
To continue the exploitation, we told the escort that they changed the Password of the Day on us, probably at headquarters, and we didn't get the update. So, the escort just rolled their eyes and let us continue. My partner moved to one of the unlocked computers from the back and popped in a boot disk. I am pretty sure we were using the Hirens Boot CD or something with a file explorer at that time, but he used the file explorer and performed the SETHC exploit. Once he finished, he rebooted and changed the administrative password, and we were now on the computer with unrestricted access. We also were able to gain access to the entire store's infrastructure because they allowed local admins to have that level of access. Unfortunately, we were blocked with a login page when we tried to launch the pharmacy software. Since this was a well-known type of pharmacy software on a known vulnerable release, we were positive there was a way to break in. Since we were restricted by time and scope, we did not attempt to gain access, but we did take pictures and document our findings.
How I “stole” A Hard Drive from One of the U.S.’s Largest Clothing Stores
In 2017, I had a contract to look at network and physical security for one of the largest clothing retailers in the United States. They have a corporate office in my native Seattle that shares resources with several other businesses and one government entity. At the same time, the company was doing a printer-copier refresh and rollout. So, we had an upper hand at this point. We spent our first day reconning the company, as you do, and we noticed that the company doing the printer refresh sent people out in company vehicles. These vehicles were branded with the printer/copier company logo all over. So, this would be our way in. For those who don't know, most companies that photocopy sensitive data store their printers and copiers in a separate location from regular use, daily printers.
So that night, we used our trusty CD800 and printed out some lovely headshots and ID cards that resembled those of the printer/copier company but were different to signify that we were some type of leadership with the company. Once our IDs were printed, we printed a fake inventory sheet and used this as our way in.
We showed up the next day and met with reception. Since the Printer/Copier company was already on site, we could easily use our newly printed credentials to gain unrestricted access to the business operations floor. From there, thanks to the receptionist's very detailed and polite directions, we could locate the printer/copier room by the Human Resources department. Our guise was that we were verifying serial numbers of newly installed printers and copiers so that we could write them out of our inventory.
Once we were at the copier, I pulled lookout duty while my partner went to work on the copier. Within 30-45 seconds, he was able to pull the hard drive from the copier. So, we decided to try another one. And then another one. All in all, we were able to steal five hard drives from five separate copiers, all located by the HR department. Now, so that you know, these were the old copiers that were being replaced. So, we had tons of saved sensitive scans.
At the end of all this, we were packing our things and preparing to leave when the receptionist stopped us. Our hearts were beating for a moment, thinking we had been caught. "Hey, the copier is not working. Are you guys replacing those today or just doing inventory?" So, I quickly answered, "We are just doing inventory on those, and they will be replaced after lunch." We promptly left with our loot of hard drives and turned them into our point of contact.
So that night, we used our trusty CD800 and printed out some lovely headshots and ID cards that resembled those of the printer/copier company but were different to signify that we were some type of leadership with the company. Once our IDs were printed, we printed a fake inventory sheet and used this as our way in.
We showed up the next day and met with reception. Since the Printer/Copier company was already on site, we could easily use our newly printed credentials to gain unrestricted access to the business operations floor. From there, thanks to the receptionist's very detailed and polite directions, we could locate the printer/copier room by the Human Resources department. Our guise was that we were verifying serial numbers of newly installed printers and copiers so that we could write them out of our inventory.
Once we were at the copier, I pulled lookout duty while my partner went to work on the copier. Within 30-45 seconds, he was able to pull the hard drive from the copier. So, we decided to try another one. And then another one. All in all, we were able to steal five hard drives from five separate copiers, all located by the HR department. Now, so that you know, these were the old copiers that were being replaced. So, we had tons of saved sensitive scans.
At the end of all this, we were packing our things and preparing to leave when the receptionist stopped us. Our hearts were beating for a moment, thinking we had been caught. "Hey, the copier is not working. Are you guys replacing those today or just doing inventory?" So, I quickly answered, "We are just doing inventory on those, and they will be replaced after lunch." We promptly left with our loot of hard drives and turned them into our point of contact.
How I Nearly Stole the Private Data of Washington State Retirees, and Then Got Caught
In 2018, I signed a contract with a government agency in Washington State. Again, I am doing an independent security consultation. This was aimed to show the weaknesses in their physical security posture. Again, the day before, we did some reconnaissance and got lucky. It was document shredding day for the organization. This one was almost too easy. We decided to make our badges using the logo of the shredding company. I chose to do something a little more brash this time and pretend to be a supervisor with the company. The following day, we went to work.
We arrived on-site at 8 am and promptly dived in head-first. I walked up to the receptionist and showed her my badge. "Hi, I am Greg with Greg’s Shredding" (again, not the vendor's name). "I believe we gave you a broken shred bin yesterday, and I need to find it and note it for swapping out. Could you help me with that?" I assume she didn't get many visitors because she jumped at the opportunity to help. So she walked me around to all the shred bins, and I examined them all until I found one I liked. I told her, "This is the one!" And we both jumped with excitement. I informed her that we would need to transfer the documents from this bin to another "functioning" bin, and I asked her if she would mind getting the key for me, and she happily obliged. She immediately went to work looking for someone who had the key, which was a lost cause because no one there had the key. I just sent her off to buy me some time.
I used the trusty set of lockpicks that I had with me and went to work on the padlock. I will admit I am not the greatest lockpick out there, but I pressed on. I spent 10 minutes trying to break into this lock. Finally, when I felt the lock give a little bit, she reappeared with her supervisor and asked, "What are you doing?" At that point, it was obvious that I was not supposed to be there. So I tried to pack my things and leave, but the on-site security guard stopped me. He quickly grabbed my messenger bag and went through it. I promptly told him I had a letter allowing me to do this, but he didn't want to hear it. By this time, the police were there and surrounding me. I thought I was done when they asked me to show my ID. I told them my ID was in the messenger bag with my Letter of Authorization to conduct a physical security test.
Thankfully, they looked at the paperwork I had provided and my driver's license. But I was not out of the water yet; they suspected that my Letter of Authorization was fake. So I had to have them call my site point of contact to verify that, and yes, I was supposed to be doing this. So, I graciously grabbed my things and walked out. I knew I had been caught, so I left. Thankfully, for that organization, time was not on my side.
We arrived on-site at 8 am and promptly dived in head-first. I walked up to the receptionist and showed her my badge. "Hi, I am Greg with Greg’s Shredding" (again, not the vendor's name). "I believe we gave you a broken shred bin yesterday, and I need to find it and note it for swapping out. Could you help me with that?" I assume she didn't get many visitors because she jumped at the opportunity to help. So she walked me around to all the shred bins, and I examined them all until I found one I liked. I told her, "This is the one!" And we both jumped with excitement. I informed her that we would need to transfer the documents from this bin to another "functioning" bin, and I asked her if she would mind getting the key for me, and she happily obliged. She immediately went to work looking for someone who had the key, which was a lost cause because no one there had the key. I just sent her off to buy me some time.
I used the trusty set of lockpicks that I had with me and went to work on the padlock. I will admit I am not the greatest lockpick out there, but I pressed on. I spent 10 minutes trying to break into this lock. Finally, when I felt the lock give a little bit, she reappeared with her supervisor and asked, "What are you doing?" At that point, it was obvious that I was not supposed to be there. So I tried to pack my things and leave, but the on-site security guard stopped me. He quickly grabbed my messenger bag and went through it. I promptly told him I had a letter allowing me to do this, but he didn't want to hear it. By this time, the police were there and surrounding me. I thought I was done when they asked me to show my ID. I told them my ID was in the messenger bag with my Letter of Authorization to conduct a physical security test.
Thankfully, they looked at the paperwork I had provided and my driver's license. But I was not out of the water yet; they suspected that my Letter of Authorization was fake. So I had to have them call my site point of contact to verify that, and yes, I was supposed to be doing this. So, I graciously grabbed my things and walked out. I knew I had been caught, so I left. Thankfully, for that organization, time was not on my side.