BONUS: BCP LIVE with FC

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: FC, welcome, my friend.

FC: Thank you, my friend. Good to meet you.

Chris: Good to meet you in person.

FC: Yeah.

Chris: So, HOW I ROB BANKS. This is a phenomenal read I just finished. I can’t wait till you guys take a look at it in your book.

FC: Yes.

Chris: You heavily focus on and discuss the aspect of reconnaissance yes. And the importance there of knowing your subject, surveying the scene before you break into an area, highly guarded area in some instances. How often is your plan of attack? How often does it go as planned? Or is there always some level of improv involved?

FC: I would say probably 90% of the time it goes. Right. Because I over plan. I over plan everything. So part of that recon process means I know everything that there is to know. Right. And I know what’s going to happen. I know the behaviors of the guards. I know some of the codes for doors, for example. So most of the time, I don’t need 90% of the plan. It’s literally I go up to a door and I walk in, and then I’m in.

FC: Right. And I didn’t have to worry about the 20 things that I thought might happen. So, yeah, most of the time the plan goes according to plan, which is sheer luck, I think, more than skill.

Chris: Well, reconnaissance, I mean, it’s super important, and I think in today’s world, a lot of that recon you can do behind the screen. Correct?

FC: Yeah, absolutely. I always do, like a digital recon piece first, and then I try and show up on site, if I can, early, and then just confirm that everything that I’ve seen digitally matches up. And that’s not always the case. Right. I’ve turned up before, and a door is suddenly no longer there. Right. It can change quite dramatically. You come up with this plan when you’re doing all the digital recon, and one of the things that I’m doing this week is I’m judging the fishing contest at the social engineering village of Defcon, and part of that process is they have to do an OSINT report. Now, OSINT is open source intelligence, and that’s basically the digital recon piece of whatever building they’re trying to get into.

FC: And I would say 90% of the teams only used Google and Google Maps. That is not going to show you everything. There are hundreds of resources out there, literally. You can just buy live satellite feeds of your location. There’s so many more things to it than people realize. It’s just Google Maps and Street View. There’s a bit more to it. Yeah.

Chris: And in a book, I mean, you spent nights overnights at physical locations for an engagement that takes you 1520 minutes to get in.

FC: And that’s the point. It’s like the more recon you do, the less time you have to work, because if you turn up and you’ve done no recon, well, you’ve got to sit in that ditch for a bit longer. Right? It’s just literally more recon. Yeah, literally sitting in ditches.

Chris: So, I mean, the book is, like I said, it’s phenomenal. You have a lot of stories there, really, that align with Mission Impossible level stories.

FC: I’ve been down the OD elevator shaft, climbed through the OD ventilation tube. Yeah, been there.

Chris: So let me ask you, then, is there anyone that you feel may be worthy of an adaptation in a feature film?

FC: I was approached by someone today, actually, who said they wanted to see if they could option the book into a movie, because I think there’s so many little scenes that would work really well. I think kidnapping people, that’s always fun, but we’ve seen that in movies. Stealing gold bars, we’ve seen that. Stealing a helicopter again, that would be a funny moment, I think, in a movie, just because of the stupidity of it.

FC: So, yeah, I think there are quite a few little stories in there that I think would make a good moment in a movie, for sure.

Chris: So if there was a movie made, who would play you?

FC: Who would play me? I don’t know. I’ll ask the audience. Who do you think would play me best? Wow. Johnny Depp. Johnny Depp?

Chris: Johnny Depp.

FC: I’m not that drunk. Maybe you Bruce Willis. Bruce Willis. Wow.

Chris: He bruce is not going to play him.

FC: Yeah, Woody harrell harrelson would be cool. Yeah, I’d go with that.

Chris: That’d be cool.

FC: All right.

Chris: So in the book, you reference some more tactical techniques that you have learned over your career, such as lock picking. And I really appreciate the fact that you sort of interweave some of the tactical techniques with stories. You also describe some other tactical techniques that you’ve used throughout your engagements. I’m just curious to know what is your go to? What tool has provided you the greatest amount of success?

FC: I would say most social anxiety and willingness to avoid people. That is the best thing for social engineering, because the more you avoid people, then you’re just dealing with hardware, and I can pick a lot much easier than I can have a conversation with someone. So, yeah, just avoiding people is my best skill.

Chris: Were you ever able to get into a secure area of a building with no physical tool at all, just using social engineering?

FC: Absolutely. You don’t even need that. Like, the number of times I’ve literally walked into a bank and just been like, this is a bit too easy. This is a bit silly because I should be stopped at some point. But you don’t talk to anyone. You just walk in. There’s a couple of stories in the book where I literally walk into a room, pick up a computer, and then walk out without saying a word. Like I say it’s, that willingness to avoid humans is the best skill.

Chris: And on the other side, do you find that humans are more susceptible just to avoid conflict?

FC: Yeah. Oh, absolutely. It depends where you are in the world. Different countries have different social aspects to them, different cultures, and you can play on that, right? So in the UK, where I’m from originally, nobody wants conflict, right? So if you are slightly aggressive to them, they will avoid you like anything, right. Come over to the States, for example. You guys are much more confrontational, right? Except if I then confrontate you back, if that’s a word, that’s an English.

Chris: Word, you guys counter confrontation.

FC: If someone confronts me and then I confront them back, it’s like, Why are you asking me this? Then they back down again. So if you go into the Nordics, you can overcome some of their cultural procavities. And if you go into the Asian APAC area again, they have this uncanny ability to just take commands because that’s how their companies are structured. So you have to do kind of different things in order to get past different types of culture.

Chris: One aspect that you talk about in the book is the letter of authority. You have a dedicated chapter to that.

FC: Yes, it is vital.

Chris: It is vital. And we all know that as the get out of jail free card.

FC: Yes, exactly. So whenever we’re doing these engagements, there’s always a client comes to us and says, can you break into our stuff and then tell us how you do it? Right. So nobody in that building should know about that test. We try and keep it to the bare minimum. It was probably five or six people that have signed it off, right? And that’ll be the C suite. If they’re not involved, right? If they are involved, then they may not even know about it themselves.

FC: So I have to have a letter that proves that I am there doing good. And so that’s called the letter of authority. And it lists basically, like, who I am, what I’m doing. And here are the people to contact through your internal phone systems, and then you can verify that I am who I am. But I put a spin on that where I have a fake one and the fake one is exactly the same, except all the numbers are my mates, right? So they got the same names. So if they get a phone call and says, is that John from this bank?

FC: They’re always like, yeah, it is. Let FC go. It’s cool, because that’s testing yet another level, right? And I’ve had this a couple of times where I haven’t had to use that false letter, but I’ve taught that lesson to other people and they’ve used it and I’ve got the phone call and I’m like, oh, yeah, it’s cool. Like, Sam’s cool. Let him in. And they’ve just let them in and they just carry on. And the letter says, don’t tell anyone about this.

FC: Pretend that you’ve never seen this person. So always have a letter of authority. Always have a backup one because oh, man, the number of times I’ve left a jacket with my letter in in the fifth floor, and I’m like, on the basement, it’s like, oh, I’ve only got one left. So always have a backup and then always have a fake one that you present first, but never present the fake one to actual law enforcement because that.

Chris: Will just go wrong.

FC: Yes.

Chris: So you talk about three copies, right? You talk about two real, one fake. Was there ever an engagement that you walked into that was so dangerous that you said, I’m done, this is it?

FC: I’ve had some interesting ones. There was one where I was confronted by two guards that had guns in a foreign country somewhere in Europe. I won’t name it. And I didn’t speak that language. I had no idea. And these two guards didn’t speak English. And the only way that I could get past them, I eventually managed to talk my way out of it, right, and sort of get through past them. But there was a bit in the back of my head where I was like, the only thing I can give them is my letter of authority, which is in my back pocket.

FC: And I don’t want to be reaching for my back pocket when they’re armed and I can’t communicate, I’m getting this thing. I’m not reaching for a weapon. Yeah, so that was a sketchy moment, but thankfully so what happened?

Chris: Did they take it for you?

FC: No, we didn’t get to the letter thing. We kind of had a little kind of, like, miming of where I was going and what we were doing, and they recognized that I didn’t speak their language, and they were a little bit embarrassed they didn’t speak English because it’s supposed to be a multinational corporation. So we kind of danced around each other a little bit, and I was like, yeah, I’m going this way. And I was like, okay, well, maybe you should go this way.

FC: So it was a tense moment that thankfully didn’t go any further, so it was nice.

Chris: Yeah, I bet it can be a scary moment.

FC: Yeah.

Chris: So these days you’ve taken a new approach to physical security assessments with Sygenta. If you don’t mind, explain that methodology to me and why you feel it’s more effective than traditional physical security assessments.

FC: Yeah, sure. So I’ve been doing this for three decades, right? And I’ve broken into thousands of buildings, right? Banks, government sites, military sites, office buildings, hospitals, all sorts of places. I have 100% success rate over those 30 years, right? And that’s not because I am the most amazing social engineer physical assessment person, right? It’s because all I have to do is find one way into that building, that’s all I’m there to do is, can I get into this building and then maybe exfiltrate something?

FC: And that doesn’t take a lot of effort, right? I just need to look at the building for long enough, eventually someone will let me through a door, or there’ll be a window left open or some other way I’ll get in. But what that gives to the client is a report that says, hey, I spent five days sitting in a ditch and I saw a door code, and then I went and used a door code. Change the door code. Right. That doesn’t give them the bigger picture of the security of their site.

Chris: You’re only looking at one you’re only.

FC: Looking at one thing. You’re only reporting one thing. Sometimes a client will be like, okay, well, spend the week breaking in as many ways as you can. Right? That’s good. And I’ve done that a couple of times. There’s a couple of stories in the book where break into the same building five different ways, or I break into multiple banks different ways. That doesn’t give the value to the client that we want to provide at Sydenter. So I’ve changed that approach a bit to being more of what we’d call a white box assessment.

FC: So we turn up with the client and we walk through their entire site, and I point out every single physical security issue, right? Every window, every lock, every door that’s put in wrong, everything. And they get, like, a 30 page report of 200 issues rather than one report that says one issue that we got in through this door. So it costs them a lot less. It takes me the same amount of time. I’m there for the day.

FC: I’m doing no recon, and they get much more value out of that. So that’s the approach we take now. And I was just chatting away with Graham here about this, and it was like, maybe if I’d been caught over those years, I would maybe think it’s worthwhile to do these tests. And there are cases where it is worthwhile. Right? So if we have a client come to us and they say, we’ve had a new security system put in here, this particular door, like the $60,000 door story in the book, then yeah, we’ll test that one thing because we’re only testing one thing, and that’s all they want tested.

FC: So we always have this educational piece with our clients when they come to us, like, is this really what you want? Or maybe we can get to your goals easier that isn’t as stressful and doesn’t cost you even a 10th of the price. Yeah.

Chris: Because if you walk through the front door, no problem.

FC: Yeah, exactly.

Chris: You write that report.

FC: Yeah.

Chris: But your side door is unlocked as well.

FC: We could have gone through ten other ways. It’s not worth a while.

Chris: So let’s talk about the surge of AI.

FC: Okay? Yeah. You know what I’m going to say about this now.

Chris: I would like to know, how much does AI play into the recon or information gathering aspect of what you do in terms of looking at the people that work at the organization, the actual organization itself. Is that something that you leverage as a tool?

FC: No. 100%. No. It is not capable enough.

Chris: Okay.

FC: And this is the issue we see in this industry, is like, a new tool comes out and everyone’s like, that’s going to replace whatever it is job you’re doing. Right. And it just isn’t capable enough yet. Right. AI. Five years ago, even like, what? How long ago did Chat GPT come out? Like eight months ago?

Chris: Not even.

FC: Right. So ten months ago, AI was effectively a bunch of if then statements, right? That’s about as good as it got. Nowadays, it’s kind of become a really fancy Markov chain where it’s like just building out what the next sentence will be and just pulling out data and then copy and pasting it in. It’s not going to replace pen testing. It’s not going to replace many jobs. It’s an extra tool in our belt.

FC: But I don’t see it really helping out on recon or social engineering, stuff like that. It’s good for stuff like if you’re looking at satellite imagery, and it can help you identify certain objects within that image that it’s really good at. But I can do that just as quickly because AI makes so many mistakes. I have to spend just as long checking those mistakes because if I get it wrong, that’s a bad day at the office. Right.

Chris: Let me ask you this then. Does the AI wave work to your favor? Do organizations and their trust in AI, do you consider that a vulnerability in itself?

FC: Oh, yeah, absolutely. Because it’s like any tech, right? They see some fancy flashy thing like you walk around the black cat hall, you see wonderful technologies that’s going to fix everything, and it doesn’t it just introduces more vulnerabilities into it. So, yeah, I see it as a it’s not mature enough to be used in a production environment yet, I don’t think.

Chris: Okay, but as organizations begin to implement that, that could be a potential attack vector for you.

FC: Yeah, exactly. I mean, we’ve already seen attacks on this, and I’ve given plenty of talks on attacks on automated vehicles, for example, just using Stickers, any system that is self learning is ingesting data. And if you can inject stuff into that data, it’s no different from a SQL injection on a web app. So there’s always going to be ways in.

Chris: FC, where can our listeners, the audience here, where can we find you online, connect with you online?

FC: Right. So depending on what it’s called this week, it’s either Twitter or X. It may not exist by the time this podcast goes out. Even though it’s live, twitter is probably the easiest one. Right? So it’s at underscore. Freaky Clown underscore. I have a YouTube channel. Mr. Freaky Clown. Or you can find us on what else we got Twitter for Sygenta HQ. My wife Jess has a very fabulous LinkedIn profile that you can use to get to my LinkedIn profile because apparently searching for FC on LinkedIn will just bring up loads of random stuff and not my account.

Chris: Okay, we’ll get links posted as well. Please do. Now, if I had to guess, since you’re seven I’m not seven, by the.

FC: Way, that your drink of choice would.

Chris: Be a vodka martini, shaken, not stirred. Now, you would be wrong because I would be wrong.

FC: I don’t drink.

Chris: I know. Okay, so if you don’t drink, what is your go to beverage on a night that you have to decompress after a night of work?

FC: Right. So if it’s before 06:00 p.m.. It’s a Coke Zero. If it’s after that, it’s probably a Canada Dry. Okay. So, yeah.

Chris: FC, are you familiar with that sound?

FC: I am.

Chris: That is an air raid siren. And because you have a 100% success rate, you’ve probably never heard that.

FC: And.

Chris: The authorities are not looking for you. But don’t be nervous. That’s just the sound of last call here at Barcode. So do you have time for one more? Okay, if you opened a cybersecurity themed bar, what would the name be and what would your signature drink be called?

FC: You asked me this before on the podcast. I know. I don’t know what I’d call it now. Oh, man, I can’t remember what I even said. I came up with something clever on the day, and now I cannot remember it at all. Cybersecurity. So I don’t know. Anyone else got any suggestions?

Chris: What would you call cybersecurity themed bar?

FC: Yeah, see, everyone’s gone blank. Hack. Barcode is a great one.

Chris: Don’t take my name.

FC: I think it’s taken, though. Apt.

Chris: Apt.

FC: Okay. All right.

Chris: Apt. And if you had a bar called Apt, what would your drink be called?

FC: It would be zero Cool.

Chris: I like it. Well, on that note, FC, I want to thank you, brother. Thank you, Matt, for joining me tonight at Barcode. At Barcode. FC has graciously signed books, 40 books here that we’ll be giving out. And last note, I want to just let everybody know that we are filming a documentary at this point, me and Matt, and this Barcode podcast hopefully will make the documentary. It’s called Inhuman, and the website is Inhumanddocumentary.com. You should all have stickers on your table. So please check it out. I encourage everybody to check out the website and support us if you can.

Chris: And yeah, FC, thank you so much, man.

FC: Thanks for having.

Chris: Great seeing you.

FC: Awesome.

Chris: Appreciate you, man. And it is 7:39, the Limo to Mandalay leaves in six minutes. So get your last call and thank you all for coming out. Appreciate you guys.

FC: Thank you very much.