Share this post

🔑 Key Takeaways

  1. Despite challenges and distractions, pursuing personal interests in childhood can lead to successful careers and fulfilling memories in adulthood.
  2. Starting a business can come with family challenges, but passion and technical expertise can help overcome them.
  3. In penetration testing, being prepared for any scenario, having a safety net, remaining calm, and using appropriate gear can minimize risks. The goal is to find vulnerabilities, not cause harm.
  4. Penetration testing involves careful planning, discreet behavior, and avoidance of unnecessary damage. Only professionals with necessary permissions and safeguards should carry out such tests.
  5. It's better to own up to mistakes quickly and responsibly, like John Strand did when he showed his permission-to-test memo and ID to the police. Using pen test-like techniques in a positive way can play a crucial role in cybersecurity, as demonstrated in the capture of a child kidnapper.
  6. Offensive security strategies such as phishing, social engineering, and physical penetration tests can be used for good to improve defenses, identify attackers, and rescue victims. Successful security strategies require a combination of technical knowledge, creativity, and practical experience with the systems being tested.
  7. Before conducting a pen test, it is crucial to weigh the potential risks and consequences associated with clever techniques, and ensure that all participants are aware of the potential danger.
  8. Cybersecurity is not only about technical measures but also about training and awareness. Regular security audits and self-checks can identify vulnerabilities and improve security posture to prevent unauthorized access.
  9. Following proper security protocols is crucial to prevent cybersecurity breaches and taking time to cherish memories of loved ones is equally important in life.

📝 Podcast Summary

The Childhood Adventures of John Strand, Founder of Black Hills Information Security

In this episode of Darknet Diaries, John Strand shares how he grew up in the middle of the woods, got exposed to computers via his dad’s work, and liked to do things with them. During his teenage years, he had a computer at home and learned to program. However, he had a troublemaker sister who used to make his life miserable, making consequences of his interest in dating girls. Though Strand admits that he also acted out and got in trouble at school sometimes, like reading the menu like an old Southern Baptist bully pulpit pastor. But he cherishes his childhood memories and wouldn’t have traded anything for the world.

Starting a Pen Testing Company and Overcoming Family Criticism

John Strand started a pen testing company, Black Hills Information Security, after working for a defense contractor and teaching hacking techniques and penetration testing. He had family support from his sister, who did report editing, and his mom, who helped with finances. However, his mom's involvement sometimes caused problems, like when she saw credit card charges for a fancy steakhouse and sushi dinner in Vegas. She chewed him out for spending so much on just two meals, causing a chain reaction of scolding from his family. Despite the challenges of running the business, John loved the technical aspect of penetration testing and used his skills to test buildings and networks for vulnerabilities.

Preparing for Risks in Penetration Testing

Penetration testing may require unorthodox methods and unconventional approaches. It's important to prepare for various scenarios and have a plan B. Additionally, having a safety net like duress words can help in case things go wrong. Even if the situation seems intense, remaining calm and explaining oneself can help resolve the situation without any harm. Nonetheless, risks exist, and taking precautions like having the right gear and tools during the test can increase the likelihood of success. Above all, it's important to remember that in such testing, the goal is to find vulnerabilities in the system to fix them, not to cause harm or damage.

The Dos and Don'ts of Penetration Testing

Penetration testing involves gaining access to buildings or computer networks. Passive reconnaissance and planning are key elements in such tests. Physical pen testers have various tools including USB thumb drives and utilities in their backpacks. Being discreet and not freaking people out is important. Instead of being adventurous like superheroes, it is better to go with normal clothes and bags. However, breaking things like flower pots and desks while penetration testing should be avoided. In case of accidents, one should leave a note with apologies and contact information. It is important that such tests are conducted by professionals only after obtaining necessary permissions and safeguards.

The Importance of Owning Mistakes and Using Penetration Testing Techniques Responsibly

Owning up to mistakes quickly is better as it shows responsibility instead of trying to skirt around the issue. John Strand was able to convince the police he was legit in conducting a penetration test by showing his permission-to-test memo and ID, without bothering to call his point of contact. In a separate incident, John was approached by law enforcement to help track down a child kidnapper using pen test-like techniques such as sending a document that would beacon back through a cascading stylesheet or an img source tag, which eventually led to the capture of the suspect. The importance of using such techniques in a positive way is crucial in cybersecurity.

The Dual Advantage of Offensive Security: Locating Perpetrators and Rescuing Victims

It is possible to use offensive security tactics for good by using phishing and social engineering methods to locate perpetrators and rescue victims. This approach can blend offensive and defensive strategies to improve defenses and identify attackers. Physical penetration tests can also be effective, as demonstrated by a successful test conducted by a food service director using her experience and knowledge to fool staff at various sites. Successful security strategies require a combination of technical knowledge, creativity, and practical experience with the systems being tested.

The Risks of Using Clever Techniques in Penetration Testing

John and his team used a USB with a .ex file and a document to drop an implant on the system and establish remote access to a computer through a connection with John's server. This was a tool that has the functionality of getting a remote connection to another computer and not a malware. The test required John's mother to use the USB stick to gain remote access to the computers in the prison for callback documents establishment. Although the test was clever, there were risks involved, including John's mother getting arrested. It is essential to consider the consequences before getting wrapped up in any ruse when conducting physical or technical pen tests.

The role of social engineering in cybersecurity and the need for employee awareness and comprehensive security measures.

The story highlights how social engineering techniques like deception and manipulation can be used to gain unauthorized access to secure areas or systems. It also emphasizes the importance of security awareness and training for employees to prevent such attacks. Additionally, the incident shows the need for regular security audits and self-checks to identify vulnerabilities and improve security posture. Overall, the story underscores the critical role that human factors play in cybersecurity and the need for a comprehensive approach that addresses technical and non-technical aspects of security.

Importance of Security Protocols and Cherishing Memories

Proper security protocols and procedures are critical to prevent cybersecurity breaches. Negligence and lack of following standard operating procedures can lead to unauthorized access to secure networks. This incident led to several failures on the part of the prison which allowed the hacker to access sensitive information. Moreover, the story sheds light on the importance of cherishing and holding on to cherished memories and the legacies of loved ones after they pass away. It highlights the value of being dedicated to one's work and being brave and fearless in life, as demonstrated by John's mother. Security measures must be taken seriously to protect vital information, and people should appreciate the moments they have with their loved ones.