How I Rob Banks E-Book

Table of Contents

Cover

Title Page

Foreword

Introduction

Chapter 1: What Is Social Engineering?

Chapter 2: 330 Cameras

Chapter 3: Expensive Doesn't Mean Secure

Chapter 4: The Trolley Problem

Chapter 5: High (Street) Security

Chapter 6: The Psychology of Stairs

Chapter 7: The Broken Arm Ruse

Chapter 8: Crown Jewels Are Not Always Shiny

Chapter 9: This Is My Office Now

Chapter 10: How to Use a Pen to Hack Any Door

Chapter 11: My First Kidnapping

Kidnapping Addendum

Chapter 12: I Needed a New Computer

Chapter 13: Building My Own Office

Chapter 14: Letter of Authority

Chapter 15: Astute Manager

Chapter 16: I Can't Fly a Helicopter

Chapter 17: Doppelgangers Exist

Chapter 18: Stealing the Keychain

Chapter 19: It's Dangerous to Go Alone. Take This!

Chapter 20: The Gold Bar

Chapter 21: Plush Carpets

Chapter 22: Clean(er) Access

Chapter 23: What We Do in the Shadows

Chapter 24: What Do I Know about Diamonds?

Chapter 25: How to Crack a Safe

Chapter 26: Find a Safe Space

Chapter 27: Well, That Was Unexpected

Chapter 28: Opening a Door on Security

Chapter 29: How to Tailgate an Opaque Door

Chapter 30: The Guard Who Was Too Polite

Chapter 31: The Swan Effect

Chapter 32: What's in the Box?

Chapter 33: How to Bypass an Elevator Security System

Chapter 34: The Loading Bay

Chapter 35: The Escort

Chapter 36: The Staircase

Chapter 37: How to Bypass PIR Detectors

Chapter 38: ATMs

Chapter 39: Open Windows

Chapter 40: Security on a String Budget

Chapter 41: How to Bypass Padlocks

Chapter 42: Padlocked Gates

Chapter 43: The Security of Glass

Chapter 44: Trading Places

Chapter 45: How to Bypass Keypads

Chapter 46: E-Waste

Chapter 47: Fourteen Desktop PCs

Chapter 48: Spy Gadgets

Chapter 49: How to Steal Fingerprints

Chapter 50: Five Banks a Week

Chapter 51: Finding Out Too Much

Chapter 52: Needle in a Haystack

Chapter 53: Stealing a Purse and Keys

Chapter 54: How to Pick Locks

Chapter 55: The Porn Cupboard

Chapter 56: The Apartment Across the Way

Chapter 57: Magazine Shoot

Chapter 58: Double Trouble

Chapter 59: Fake ID

Chapter 60: Impersonation

Chapter 61: How Maglocks Work

Chapter 62: Personal Escort

Chapter 63: My Favorite Door

Chapter 64: Microwave Fences

Chapter 65: Discarded Passes

Chapter 66: Bypassing Speed Lanes

Chapter 67: The Case of the Angry Man

Chapter 68: Let's Play Doctors

Chapter 69: That's for Me!

Chapter 70: How to Use a Snickers Bar

Chapter 71: Taking the Bus to Work

Copyright

Dedication

About the Author

Acknowledgments

End User License Agreement

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

About the Author

Acknowledgments

Foreword

Introduction

Begin Reading

End User License Agreement

Pages

iii

xv

xvi

xvii

xviii

xix

xx

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

iv

v

vii

viii

ix

237

How I Rob Banks

(and other such places)

Foreword

It is a common complaint in cyber security that we don't relate our complex and important subject to ordinary life in an accessible way. There is no such problem with How I Rob Banks and Other Such Places, which is what makes its publication so welcome.

For some years now, FC has been at the fore in highlighting the multiple dimensions of cyber security and showing how a complicated and chaotic tapestry of vulnerabilities can be exploited. He is a living, breathing advertisement for ethical hacking and protected research. He thinks like a bad guy but acts (and writes) as a good guy. In that way, he exposes us to the worst tendencies of human life—malevolent intent on the aggressor's part; carelessness and complacency from the defenders—and points us toward achievable, practical ways of reducing harm.

I spent nearly seven years setting up and then running the UK's National Cyber Security Centre, part of the intelligence agency GCHQ, from the end of 2013 to the middle of 2020. This was an important period in cyber security, with the evolution of nation-state threats and the explosion of organized cyber criminality (particularly ransomware). But as things changed, patterns emerged in the way attacks were being carried out that caused us to think again. One of the most important areas of change was to banish the nonsensical phrase “people are the weakest link” and focus instead on how real people with real jobs working on real networks can manage the online mayhem FC charts so magnificently so that they can get on with their work and their lives.

I only wish this often comical but always crucial compendium of cyber capers and capabilities had been available at the time, and I commend it to you now.

Ciaran Martin

University of Oxford

Founding head of the UK National Cyber Security Centre (2013–2020)

Introduction

I'm standing in central London, it's 2:00 a.m., and I'm dressed head to toe in dark clothes. I also have on a balaclava, but it's rolled up into a small beanie hat. My arms are crossed tightly in front of me, and I'm lost in thought, staring at a large red stone building. Inside this fortress-looking building is a multinational trading bank. Someone behind me clears their throat and calmly asks, “What are you doing?” Without even thinking, let alone looking around, I answer with the truth: “I'm trying to work out how to break into this bank.” The intake of breath behind me snaps me out of my thought process.

I then turn to the voice and see two policemen staring at me in disbelief.

But my job isn't just about breaking into buildings; it's also about convincing people to believe me, whether I'm speaking the truth or lies. So, I did what anyone would do: I talked my way out of that situation with the truth, by explaining what my job is.

The truth is always better than lies. If you're going to tell a lie, it should be simple, short-term, and preferably preplanned. Anything else can quickly unravel.

I have a very interesting job: I break into things. Not just buildings but also digital fortresses and anything and everything that has a security control.

I never knew what I wanted to do when I was a kid at school. All I knew was how to survive the extreme poverty and abusive home I grew up in and how to circumvent systems and processes to keep myself fed and as safe as possible. It was in these formative years that I developed the skills to get me into a career I never would have dreamed existed: legally robbing banks.

I have probably robbed more banks than any single person on earth. It's an odd job, but it is something I am really good at. My goal is often very simple: infiltrate the company, find the target, and see if I can steal it, whether it's a bar of gold worth over a quarter of a million pounds or an box files of documents. One thing they never show in movies is how damn easy it can be.

I started my career working for multiple security companies, having been at the forefront of social engineering and the physical intrusion industry as we know it today. I was then lucky enough to be the head of cyber research for Raytheon, a giant in the defense industry, where I worked hand-in-hand with multiple government agencies around the world. My role there ensured the continued safety and security of the five-eyes nations and their allies, and I will always be proud of the work we achieved. While there, I began to germinate thoughts of creating a cyber security firm like no other. Soon after, I started Cygenta alongside my wife, Dr. Jessica Barker, covering physical, digital, and human cyber security concerns. Our cyber security consultancy works with some amazing heavyweight clients around the globe.

In my heart and soul, I will always be a hacker, whether that is digitally or physically, as the thrill of gaining access to something is one that will never go away for me.

I have been legally breaking into places both digitally and physically for almost three decades. This book contains some of the most interesting, funny, and downright unbelievable things that have happened during my career so far.

In this book, you are going to learn a lot about banks and how they work. Not just banks but also government buildings, commercial offices, and much more. Interspersed throughout, I will show you some of the tools and techniques I have used to gain access to some of the world's most secure buildings. If you are looking to get into a role like mine, looking to defend against people like me, or are just a curious bystander, you will find something of interest in this book. I ask that you do not use anything you learn here for malicious purposes.

So how is any of this legal? Why have I not been locked up for robbing thousands of banks and stealing data and assets worth hundreds of millions? Well, clients come to us and ask us to break into their companies and then tell them how we did it; this allows them to shore up their security defenses before the bad guys come along. Nothing we do would be legal without a lot of paperwork and ensuring that we stick to the rules of engagement. I will cover more about this later in the book, but suffice to say that in all my years in this career, I have never broken the law or broken into something when I did not first have permission to do so.

In the writing of this book, I want to entertain you and show you a little of my world; however, first and foremost, I have a duty of care to not only our clients but also the companies, countries, and individuals represented in this book. So, for the sake of security, I have had to change minor details so as to not step over the line and reveal serious security flaws, some of which have never been fixed.

A lot of the work we do is not as exciting as one might expect from reading this book. It may surprise you to know that often there is nothing interesting about stealing something from a secure building; however, sometimes a small event happens that is either a helpful learning experience and/or hilarious. As I wish to share all the funny and ridiculous things that have happened during my work, I have integrated some of these tiny details into the larger stories for narrative reasons, for times when I cannot reveal a sensitive detail, or when it was just too good not to share but did not take more than a sentence. But I assure you that every single anecdote is real and as detailed and accurate as I can make it without breaking an ethical or contractual bond. Where possible, I have included photos that I took during assessments, and I have provided drawings to help illustrate techniques or maps for context.

Oh, and in case you are wondering what happened with the police and that bank I mentioned, I was able to explain my job, and after some convincing, they let me get on with my job. I broke in and “stole” millions of dollars!

I hope you enjoy this book as much as I enjoyed spending my career so far performing the feats to fill it.

FC aka Freakyclown

Chapter 1What Is Social Engineering?

Social engineering is the manipulation of people and situations to gain access or information that otherwise is not available to you. Social engineering can sometimes be used to bypass physical security—mechanisms in place to prevent access by unauthorized people—but not always.

Organizations pay me to test their security. I use a combination of social engineering and physical attacks to do so. The security I test might be the locks on their doors, the security guards and receptionists, or their computer networks. Most often, it's all of those and much more, as you'll discover as you read about how I break into banks.

In my role as a security professional, I use psychology, body language, charm, flirtation, lock picks, and other tools to break in. Before all that comes a lot of preparation and paperwork.

Social engineering has a long history, albeit usually by another name—scams. Before we hear about my adventures, let's look at the first social engineering attack.

The best-known historical piece of social engineering is the Trojan Horse. While almost certainly a myth, it's mentioned in book 2 of the Aeneid, a book of Greek poems, and again in The Odyssey by Homer. As I am sure you know, the Greeks pretended to abandon the siege of Troy and left behind a giant wooden horse. The Trojans, thinking it was a gift from the gods, brought it inside their walled city. That night, the Greek warriors hidden inside the horse climbed out, killed the guards, and let the remaining Greek army inside.

I am sure you can see the moral of the story is about trusting what you don’t know and letting them past your defenses. Computer viruses are often called Trojans because they are disguised as something benign. The myth shows the many things social engineering relies on: deception, a false sense of security, distraction, and making the target feel like they have succeeded—all the while playing into the attacker's hands.

Many years ago, I was asked to provide my security expertise to a prison in England that was prone to riots and escapes. My role was the opposite of most: they wanted me to prevent people from getting out rather than people getting in. While working in and around the prison, I was told the story of an escapee who used a method similar to the Trojan horse.

The prisoner noticed that two of the laundry machines were broken and due to be replaced. They had been disconnected, checked over, and left in a loading area. The day the removal team arrived to pick up the machines, he hid inside one, much as the Greek soldiers hid in the horse. Several miles down the road, he broke out of the machine and out of the lorry and escaped. (He was eventually recaptured.) I wonder if he had ever read The Odyssey?

Criminals use social engineering to perform all sorts of attacks, from what we call phishing email attacks to get passwords to huge fraud attacks that steal hundreds of millions of pounds.

While many criminals use social engineering to scam people, some people use it daily, sometimes unwittingly. Sales personnel, for example, try to convince you to do something you don't always want to do: spend money. Marketing is all about social engineering: time-pressure sales, discounts, and added values that don't really matter. Supermarkets spend millions on the placement of items in stores to get you to buy things. Why do you think there are sweets near the payment tills? Because you will be standing there in a queue, and your child will beg you to buy the sweets they just have to have. It's an easy sale.

Every day in your office, you make small, political movements, coercing someone to do something for you. I bet you didn't know you were a social engineer! Who doesn't know that smiling or flattery works to get your way? Consider how many times over the last year you got your way, and think about how you did it.

For my role to be effective, I need to manipulate people into performing actions they would not normally perform. This can be tricky. But my role also includes having skills that attack or bypass physical systems. You can be the best social engineer in the world, but you can't out-smile or flatter a fingerprint reader. A locked door will remain locked unless someone unlocks it, no matter how much you yell at it or ask it nicely to open. This book will show you some techniques and how they have worked for me over the last three decades of my career.

Social engineering is just a fraction of the skills required to do what I do, but it is an essential foundational ability. It will continue to be the number-one attack used by criminals, as it has been for thousands of years. Understanding why it works and how it's used is the only way to recognize how to defend against it and prevent yourself from becoming a victim. As you move through this book, enjoying the anecdotes of my funniest and weirdest moments, try to pick out the “red flags” you could have spotted to prevent each attack. This book is an educational tool as well as an entertaining read; absorb the defense lessons, and honor them by putting them to use in your life.

Chapter 2330 Cameras

Understanding the environment that you are trying to protect is vital. Without an extensive understanding of how security will fit in the environment, you risk making it ineffective or, worse, making it work against you.

I was once tasked with breaking into a government building. This building was not in the UK, but unfortunately, I was! Therefore, I was unable to do any recon work myself before the actual break-in. However, there was a ray of hope: a work colleague had been at that site a few weeks earlier. Despite them having no physical security experience, I felt I could offer some guidance about what to look for, and they could report back to me so I could plan accordingly.

Here is the report I got back from them:

There are loads of doors, too many to count, maybe 20 or so with no guards. They all look open to me.

I don't think I saw any cameras. Maybe a couple—I don't really remember.

There was a security guard near the main entrance, but it's pretty open. You can walk in and get a badge and go in through the barriers.

It looks pretty open; I could wander anywhere I needed.

You can probably already guess that everything in this report was wrong. Once I turned up in the UK, I took a quick look myself, and wow—the building was a fortress.

There were many doors, but all of them were emergency exits with no way of being opened from the outside. I found out later that there were 330 cameras around and in the building. The main entrance was guarded by two security guards armed with guns at all times. No one was allowed into the building who was not expected; only those who were expected could approach the reception area and get a badge.

Obviously, my friend had been expected and so was given a badge; they weren't watched by security and barely wandered around the building. They also missed the roaming armed police presence in the building, the numerous cameras, and the man-trap systems to prevent people from moving from one part of the building to another, along with numerous other security features I shall not mention for obvious reasons.

So I was stuck with a seemingly impenetrable fortress of a building with more cameras, more armed police, and more overall security than I had ever faced.

I did what any professional in my situation would do: I panicked, called my account manager, and said I wouldn't do it.

I rarely suffer from what is known as imposter syndrome, the belief that I am not as good as others assume I am. But I felt as though I had been hoodwinked, which put me on the back foot and lowered my expectations about the amount of planning I had to do.

My account manager was brilliant; he told me to stop being stupid, that he had never known me to fail, and that I should get on with it. So I did.

I spent the next 48 hours watching, timing, planning, plotting, making notes, and consulting online resources. By the third day, I had what I felt was the only possible plan to infiltrate this incredible challenge.

Many hours later, I sat with my client, discussing how I had managed to get in and perform the tasks I had been assigned. We were in the security room, facing a bank of monitors and large screens. Several of the security team were busy spooling back and forth over my tracks: I had managed to evade most of the cameras inside easily enough, the tapes showed an odd glimpse of me but nothing that had been flagged as suspicious.

What was suspicious only in playback was my sudden presence in the building. I had appeared near the loading dock and was let in via a staff door by a friendly passerby. But how I got to that door remained a mystery.

As they scrolled through cameras, I helped pinpoint the moment I got in. In the very corner of a screen, if you paused for a few frames, you could see part of a shoe.

I explained that I had studied the building, layouts, and camera angles, and one had caught my eye. The loading bay was underground and had wonderful architecture, with a long ramp aligned very nicely with the sun at a specific time of the morning. The low angle of the sun and the camera position meant that for a few minutes during the morning, the sun entirely blinded one camera. All I had to do was walk down the ramp, slip past the camera in those few minutes, and hope that the security team could not see me.

I felt pretty smart. But I can tell you, they did not see it that way and thought I had somehow “cheated.”

I mentioned that had I not been a simulated attacker, I could have shone a high-power laser at the camera and taken it out entirely. That would have had lasting effects on the camera and probably been spotted by the security staff, but it was possible, at least.

Interestingly, after I got to the internal door, it was locked. I had to bang on the glass and convince a passerby I had left my pass inside—and they let me in. Again, security culture let them down, rather than the tech.

Once inside, after thanking the gentleman, I walked off to the left and around a corner. The first people I almost literally bumped into were two armed police officers. I did not speak the language, which is always worrying with guns in the picture, but I casually nodded and walked by. Never interact with people if you can avoid it!

Chapter 3Expensive Doesn't Mean Secure

In the security industry, companies are often duped into buying expensive solutions to perceived problems. Usually the salespeople don't mean to sell snake oil, but often they don't listen to the client or understand their needs and weaknesses. If you take one thing from this book, please let it be that “expensive does not mean secure.” I try to explain to our clients that they should, as Jessie J told us in her 2011 hit single, “forget about the price tag”!

This story is a splendid example of a security solution being installed without the client, consulting firm, or builders understanding their areas of expertise.

I was tasked with breaking into the head office of a particularly large and well-known bank. As mentioned, one of the most important things you can do with a client is talk to them and really listen to what they are after. This conversation ensures that the client is not spending more money on a job than they need to and that what they are asking for is actually what they need.

After a lengthy conversation with the bank, it became clear that the job was an extremely specific case and unlike most assignments we take on. The client asked me to enter the building through one specific door. This was unusual because the test was against the door system itself, not an attempt to gain access to the building or information.

It turned out that a security firm had recently suggested an upgrade to the client, and the client had done what they were told without any further consultation. They had spent upward of £60,000 on one door: the target door. It was state of the art at the time of the job, meaning it utilized a lot of new technology that we take for granted now, such as remote camera modules, wireless access cards, fingerprint override, sensors to detect multiple people, and anti-pushing technology. Evidently, after all the time, disruption, and money involved in installing the door, the client caught on that they had been duped and decided not to use the same security firm to test it.

As with all security, it is important not only to understand the security device but also to understand it in the context of where it is placed. With that in mind, I must share the details of how this insanely expensive door was placed within the HQ of this wealthy bank.

The building had three entrances. The first was sometimes staffed by security and had a turnstile system (I will cover this later). That would be an effortless way into the building. The second entrance was temporarily blocked off and unusable because of broken glass that made it potentially dangerous. The third was where my task lay: the sophisticated £60,000 revolving door that the client had a lot of faith in.

We start every physical security job with reconnaissance. The more reconnaissance you can do, the higher the success rate of the job. It can vary from hours to days of surveillance and intelligence gathering before attempting access.

I needed to spend some time watching the new door system to see if I could find a flaw that I might be able to use. The remoteness of the door made it impossible to get close and circumvent it physically; it also meant it would be hard, if not impossible, to attempt to clone the access cards being used. So, in the middle of winter, I pulled together my surveillance kit and headed out of my warm hotel room into the frosty night at around 1:00 a.m. I chose this specific night because it was moonless and overcast—both are important for sneaking around secure places at night.

I arrived near the site and hiked the last half mile to ensure that the car was not seen near the entrance. I was wearing my night kit: a selection of very dark blue clothes, including a matching balaclava. (Wearing black almost always makes you stand out more than dark blue. There is something uncanny about the color black, and humans pick it out subconsciously.)

I approached the fence line from one side, away from the main entrance, and noted the lack of CCTV cameras. The movie Fight Club portrayed a few things accurately: one was that a small piece of carpet is fantastic for climbing over a barbed-wire fence. I threw my small rug over the top of the fence and swiftly climbed into the compound. After removing the rug and tucking it against a nearby tree for later escape, I silently and swiftly made my way along the copse of trees and down to a runoff stream. I lowered myself into the stream and crawled along to get as close as possible to the door system.

Once I settled on the perfect spot, it was about 2:00 a.m. I was covered head to toe in cold, wet mud, and the water from the stream had gotten into my boots and soaked my feet. I knew I was in for a night of extreme discomfort.

I spent the next few hours in that cold, wet, muddy ditch peering at the door system through my night-vision goggles. It was covered by infrared security cameras, it had no keypad for a number code to override it, and security guards patrolled every 40 or 50 minutes, depending on how long they stopped for smoke breaks. Around 5:00 a.m., it started to snow—not fluffy Hollywood-style snow, but English snow, more akin to a Slushy being tipped on your head than the comforting flakes from It's a Wonderful Life. Life was not wonderful in that ditch.

However, my job is not to provide my client with minute-by-minute details of the weather and wetness of their ditches; it is to provide security advice. During those five torturous hours, I found a security flaw and formulated a plan. Around 7:00 a.m., before it got light, I hustled back along the stream to my rug-assisted exfiltration point and then back into the hotel. Once there, I took a quick, extremely hot shower, ate, and had a power nap before getting dressed in a nice suit and heading back to the site. It was time to see if my plan was going to work.

I'll attempt to give the narrative of what was captured on the CCTV. At 8:59, I am seen entering the path that leads to the door. As I walk toward the door, observant people would have picked up that my pace was deliberate. I glance at my watch and pause mid-step for barely a second. At precisely 9:00 a.m., I step into the door without interacting with the pass system. The door automatically revolves, and I stroll into the building.

As we reviewed this footage, the security team and the client looked at me and then back at the screen. They replayed it several times to confirm what they had just witnessed. The head of security, baffled at what he had now watched five times, turned to me and said, “Are you a Jedi?”

I explained to them the flaw I found. When a sophisticated moving door is installed, it is done not by security-trained staff but by builders. Like most of us, they work based on their experience rather than by following the manual. But such a door has a series of security steps that your average revolving door at a supermarket does not. Once the door is installed, the builders sign off, and someone else has to look after it and maintain it. But before the sign-off, the door must be tested. Doors like this have an “engineering” mode for precisely this type of testing: every 15 minutes, the door automatically rotates 180 degrees to ensure that the bearings are working, nothing is catching, etc.

During my five-hour vigil in the ditch, I noticed that the £60,000 door had been left in engineering mode. Every 15 minutes on the dot, it performed a rotation. I knew that if I timed it right and made sure I was inside the door entrance when it did this, I would have my way in. Even though I was observed by CCTV, security never caught me. CCTV is (almost) always a method of retrospective security to prove something happened and not an active monitoring system.

Reconnaissance pays off, and preparation is key. The actual test only took a few minutes, but the wet, muddy, miserable hours of observation led to my success.

Chapter 4The Trolley Problem

Now and then, a job comes along that is so full of warning signs that you don't want to even consider taking it on. This one was one of those jobs. I should have been concerned that it was a government facility; that meant top-notch security. I should have seen the red flags when I was told the site was so sensitive that it had its own permanent police presence in a building next to my target. Still, I took the job and never regretted it.

For obvious reasons, I cannot give you much detail about the site. There will be no maps or geolocation specifics. But I can tell you that gaining access to the site and making my way across the grounds was one of the easiest jobs I had done to that point.

The site in this anecdote was like several other ultra-secure sites I have broken into during my career: they focus on stopping you from getting out rather than getting in—a very odd but specific security tactic. While most sites we deal with are built to prevent non-authorized individuals from gaining access, at a certain level, that often flips around. Ultra-secure sites tend not to highlight their security. For instance, consider this photograph my wife and I took on a visit to Area 51, the ultra-secret black site in the USA.

Note the lack of fencing, cameras, and other security measures you would expect at such a place. Another site with a similar approach is Fort Knox, the gold repository in Kentucky, USA (but they also have a standing platoon of soldiers and tanks to help shore up security).

While gaining access to this specific site was easy, accessing the building was the main point of this assessment. The client hoped I would never be able to gain access to the building, let alone sensitive files; but on the off chance that I did, I would have to prove that I could exfiltrate sensitive information.

After making double-sure I had found the correct building (I did not want to accidentally break into the police station), I utilized one of the methods described later in the book. (Sorry, I can't tell you which one because it worked.)

Almost every secure building has a mentality built on centuries of defense, from ancient castles to even further back: to set up a secure perimeter and only let in the right people. The technology has changed, but the mentality has not. Once inside the building, I had free rein to go wherever I needed, as is often the case.

While I was wandering around, chatting with people, and finding my bearings, I walked down a corridor with plastic skirting boards and dull beige paint peeling off in flakes. The lack of people in the hall, the poor upkeep, and the décor were subtle indications that management never came down here. This was the maintenance and logistics area.

The end of the corridor had a set of double doors that wouldn't have looked out of place in a restaurant, given the way they swung back and forth and had little round windows breaking up the government-beige paint. Behind these swinging double doors was a small, open room.

As I pushed into the room, I expected at least one or two people to greet me. However, the room was empty except for trollies and trollies of red folders. Red! I knew immediately that I had hit the jackpot. In the government world, classified material is often kept for years and is frequently stored in plain folders in big storage facilities. But when a satellite site like this one is working on transient data or information that has been shared with them from another agency, it is often stored in red folders. This aids in identifying classified materials that are to be destroyed when their use has ended. These red folders should be collected and put into a furnace. However, some sites cannot do this, so the classified data is loaded into a secure truck and transported to a specialist facility where to be burned.

The room I stumbled upon was a holding room. Either that site had suddenly finished using thousands of folders, or a collection hadn't been made for weeks.

I understood the sensitivity of the data in those folders. Given what the site was used for, I had extra knowledge of what was probably inside each folder. I did what anyone else would have done in that situation: I stole a whole trolley load. I didn't really steal it in the illegal sense—I had permission to take anything I wanted—but I was making a loud statement to the client.

I rolled the trolley down the corridor and into what could be described as part storage hall and part loading facility for lorries. I got the trolley down a small but incredibly steep slope that was clearly an afterthought in the design process for the dock and managed to open the loading bay door from the inside. Surprisingly, no one seemed to notice, care, or even observe what I was doing.

I decided to see how far I could take the trolley on its little excursion from its life of going back and forth in trucks. I rolled the classified materials past the offices, past the makeshift police station, and toward the main entrance of the site. I got as far as the public visitors' site before I realized that I had maybe gone a little too far and was in danger of putting myself and the data at risk. I quickly took the following photograph and, with the utmost care and speed, dragged the trolley back across the carpark, past two police officers who didn't seem to care about my trolley dash, and toward the loading bay, where the door was shut!

I had to think about what to do next: call for help (not great) or leave the data there while I broke back into the office and tried to open the loading bay door (not safe). What would you do?

Thankfully, I didn't have to do either. After a brief scout around with the trolley in tow, I found another way to gain access to the loading bay door and took the documents back inside without leaving them alone.

To this day, I don't believe anyone has removed as many physical classified materials from a secure location—and hopefully, they never will.

Chapter 5High (Street) Security

With a lot of security, it is less about technology and more about the culture of an organization and the education of people.

The very nature of human beings is what often helps me to do my job. I'm lucky that my wife is a world-leading expert and author on the matter of the human side of security: this understanding is key to creating a secure environment.

No other story I have displays this better than the following anecdote.

I was tasked with gaining access to a small business. Nothing fancy; this particular site was one of many. However, unlike all the rest, this small business had maybe fewer than 10 staff, and the contents of the building were unbelievably important.

The importance and sanctity of the contents of that one tiny brick building, nestled in the heart of London, would astonish you. Hiding in plain sight, down a sweeping road near some high-profile offices, you could walk past this site a thousand times and never notice anything odd. Maybe you would eventually notice that the lower ground windows were not actually windows but bricked-up, painted façades to give the appearance of a normal townhouse.

In much the same way that some London houses are entirely fake to hide the tunnel outlets of the London Underground (55% of which is above ground), this site was a façade to an impenetrable box. The building, as I mentioned, was made of brick. The height of the roof stood above the neighboring buildings enough to prevent easy access, and the fire escape doors were secure enough to prevent opening from the outside. This left just one entrance point: the oversized black door with a large central gold knob and security device attached to the undercover vestibule.