Mental Outlaw is the ultimate advocate for the Amish community.

the more I I learn about electronics the more I understand why most IT experience people tend to use as least amount of technology in their personal lives

Important things like this should be provided directly and ideally manufactured in the country using them. It’s silly to think our government and their contractors do stuff like this to save time and money when they could just hire a few more people to audit things as well as work with a local manufacturer

Quite common in Brazil. They swap the reader thing, usually from a gas station, with a hacked one. Then wait for the harvest. Got mine stolen once. 3 purchases at 1am. I was awake at the time, my bank sms me all purchases made over R$50, so I knew immediatelly, called my bank, cancelled the transactions and cancelled the card in like 20 minutes.

It's crazy how well social engineering and just standing around with boxes works

speaking of malware, youtube has been serving ads of "free games" websites, witch serves malicious fake installers, double packed MSI installer with a small c++ program (and some accompanying 7z archive with a password i couldn't find any ware) that fucks with your DNS config and bricks your internet connection, reminiscent of most of the malware you'd find on TPB back in the day

Actually government laptops are specced out to have CAC readers in the laptop, so not external reader is required. We also have cac readers within our keyboards, so a government employee should never have to buy a reader.

This reminds me of the Despicable Me meme: "First, identify smart card reader used by military. Second, get access to vendor's website where drivers are hosted. Third, infect it with well-known malware that's being detected by most antivirus software."

Ah yes, Amazon special Chinesium smartcard reader for DoD CAC authentication. What could possibly go wrong?

A company I worked for just gave everyone a laptop with a smartcard reader built in. Much finer control for them. We also used RSA keys and a password. I don't think you can get more security for online identification than RSA keys

Great timing. Pulled a fake keypad off my local ATM two days ago. Sneaky bastards

I cannot believe an IT person who works for a big IT company did not know about file signatures. When I download things like drivers from any vendor, I check the digital signature of the EXE and DLL's before executing the installer. In fact, I check this before buying a piece of hardware that requires driver installation. I visit their websites and download the driver file before buying the hardware, and check if the EXE is signed. If it is not, then I buy from a different company. I also did not expect so-called "smartcards" are just a mere password card, that if someone else read it, it gets compromised. I thought it would send some sort of calculated result so that only the device that has a previously agreed data can verify its authentisitity, like a bank OTP device. If it is just sending the same data whoever the reader is, why is it called "smart" card? It's a dumb card.

I work for a publicly run employer in the uk that's one of the largest employers in the country (work it out). Our smart cards for accessing the country wide databases uses an active x control in IE . The config file for this still states " do not change any settings as all settings are the same for windows 95 and NT " , smart cards are not secure !

An IT employee for a large government contractor bought a smart card reader. This is what happened to his highly sensitive data.

I've been in the military for nearly four years now. I'm happy to see that I've never seen any of these kinds of cac readers for sale, especially at the physical stores and gas stations.

Thats the CAC (common access card), something that pretty much every US military personal will use, along with everyone who works for the DOD. One thing I find weird here is the "drivers" you need are actually DoD certificates, otherwise CAC enabled sites won't load. (Though I'm pretty sure this is just so your local FBI or NSA agent can watch your activity easier) The one positive thing is the DOD has been issuing out laptops that now use VPNs, and already contain a CAC reader built with the certificates you need, and are continuing to improve their OPSEC mostly due to the fact that having people work from home during COVID instead of a secure office has forced them too.

Congrats on 300k. Thanks for spreading the information that actually matters!

I used to work for a DOD contractor. We where super strict on card readers and lucky we never had this issue. All of our external readers where provided by a trusted vendor.

You never cease to surprise me with these interesting vids, keep it up!

You could use a regular Android phone to “copy” and “paste” the balance of a subway card in Moscow. That’s how I got unlimited rides lol.

Saicoo Card readers, proceed to place a Yuan symbol on the online payments sign and encourage employees from the DoD to use it. It is obviously a Chinese spy tool, lol.

What is so hard about using pgp smartcards? Nonce in, signature out, access granted, no way to copy anything.

This would not have been a problem if the drivers where open source

When I was attempting to enlist in the army, all their laptops had a card reader built into them.

What kind of a brain dead govt agency would actually deploy workstations that don't have internal smart card readers? Oh right, quite a lot of them

In Brazil is very common in sales fairs and at gas stations , they modify they payment machines and insert some msr90 board or something like these on the video , criminals call this type of modified machine as "chupa-cabra" . And they also use jammers for block gps signals from the cars and than steal , they typically call this type of jammer as "capetinha"

"Security products company with unsecure website", yep, sounds about right.

Properitary drivers be like:

I always thought there's a private key in each of them, and therefore you cannot duplicate a smartcard by listening to the traffic. It's just common sense! RSA has been around since the 70s. Guess I was wrong

I work for a security company where we make security cards. A lot of high security places are moving to cards with an encrypted chip where it stores certifications, your fingerprints, and your photo. Similar to CAC cards. It's fully encrypted and the card is tied to the facility and the readers. The card you showed is a PIV-I card. It's very secure. The government is slowly moving to this. You need a scanner, that isn't just a reader, but one where you insert the card and it reads the chip. It's all tied to the individual. As far as readers go, use an HID reader. Our company has tore apart the drivers and such, and they are secure. For common smart cards and card readers, yeah. It's easy to hack. People are always the issue in security. But there is smarter - smart cards.

I love how the credit card companies decided to update their older cards to a much more VULNERABLE card. It’s like they WANT everyone to get their cards compromised. Plus I betcha they do, because they are most likely directly connected to those “credit monitoring” companies and they get more money from them every time a card is compromised.

thanks for the updates as usual outlaw!

yeah, but if I wanted to break into a building I would rather bribe a janitor to copy their pass vs having my face on camera intercepting their card.

Please make a video on how the internet of things will ultimately destroy the human right to privacy and make us subservient to the surveillance state. I do know you briefly touched on it in your Guide to Escaping the Botnet video, but an in depth video would be really awesome and do us a great public service.

Man your content is just awesome! I tell everyone to check out your channel

The company one of my friends works at provides laptops with built in card readers, they also have cell tower service so they don't have to connect to WiFi while they are not at home

As someone who works for a company that installs card readers in high security places, we only install swipe cards and we demand that we use cables rather than wireless transmission. Our system also nullifies cards every 2-3 days, so you have to get a new one at the reception.

I don't know about the authenticity of the web site you presented that had that card reader listed as recommended. In addition, any contractor that allowed average users local admin rights to install random drivers for crap wouldn't have their ATO for long and thus wouldn't be contractors for long I can tell you that much. Furthermore, when I contracted Federal IT I know we couldn't just hand out random garbage even for peripherals. There's actually standards in place that prevent even the purchasing of computer equipment from mainland China. Even the cards themselves are single sourced from one company to meet the HSPD-12 requirements.

Military contractor here, these types of CAC readers are used but not sensitive information, at most the hackers would be getting some PII. More sensitive information is still only able to be reached at your base with a different type of CAC :-)

Also, RFID/NFC/proxy cards are a different technology than smart cards

Mental outlaw is either the biggest redhat or straight works for feds lmao

I like to think that the hackers have a handful of weird dumps where they have no clue what the card is for, what the data is about or how to use it While in reality, it's stuff like Pokémon print kiosk cards or someone's memory card that holds a script to install the network driver for an industrial computer

The company that doesn't give checked (by the admin/security expert) devices to their employee/contractor, deserves to get pwned.

When I worked as IT, we had a lot of people doing work from home stuff. We had protections against this and actually survived the Kaseya Ransomware attack because of a tool... which for the life of me I cannot remember the name of. It essentially worked as a DLL and EXE whitelist - we had a contract with the developers to ensure they updated our whitelist with the file signatures of executable files that came from reputable sources such as Microsoft, Adobe, Chrome, etc, that we'd use on a day to day basis. Everything else would be hard blocked, across all our devices. It would most certainly have protected us against smart card readers with modified drivers. Though, one time, we had a whole day of printer issues because microsoft did a silent patch to Edge, which was responsible for ensuring PDF files print correctly from edge, so we had a day of nonstop printer issues, but it was a small issue :/

had no idea that people could just buy their own hardware like this for security critical tasks. should at least have a list of hardware that you need to purchase from or something.

so. this video gives me an insight of why my military laptop (Latitude Rugged Extreme 7214) has a reader for those cards, both contactless and slot to insert the card

And this is why physical security, with human security, will never be outdated.

That employee helped their company dodge not just a bullet,but an entire fucking nuke.

Another good example would be the Hak5 usbs. Think Mrwhosetheboss did a video on those, but all someone would need to do swap out a smart card reader that looks similar enough to whatever actual smart card reader you're using, and then they have access to all your credentials.

Small detail, a large number of Amazon reviews are fake but you’re correct in assuming at least half of those are actual purchases. There’s some sites that will scan listings and tell you the percent of fake reviews

i cant help but think that there was no hacker

I used to work in an IT department of a hospital and they used card readers in-house and 2fa when working from home, worked better imo.

I didnt understand why you would need a smart cardreader in home? I got a bit lost. Would appreciate if someone could tell,

In Brazil a guy managed to switch his card reader with gas'tation's card reader and recived 3 days of payments before be catch.

I suspect they are doing the same thing with Smart Lamps selling on Amazon that are impossible to beat on price but force you to allow access to your local home network traffic. Might be useful for a researcher to take a look at it, which I can use the time to jump deeper.

a long while ago people used to use coiled copper rods to extend the reach to their sleeve.

You'd think most companies/governments would have some sorta deal with a tech trusted tech supplier instead of simply paying staff to buy whatever they want.

The worst part is so many military website are flagged as not secure by browsers so many people just click to continue to unsecure website, because that's the only way to access the website. So it wouldn't surprise me if windows defender would have caught this, it would have been ignored.

things like these need OSS drivers with signed binary releases. Virustotal is not magic, it is rather easy to write undetected viruses, especially if their only job is to upload the smartcard data to a server. That is not even the definition of a virus, that would just be a modified/hacked driver

Congrats on getting that shout-out from Mutahar yesterday!

This is sooooo dangerous.... So many people need to know about this..

i feel like I’m watching a DedSec tutorial video

The first bag you posted is the good one to protect against rfid. They have larger sleeves too on amazon.

I believe new most Access cards/fobs systems now have 2 steps; meaning not only does the card provide a password to the opener, but the opener also put a signal back to your FOB and if your FOB cannot correctly verify the signal coming from the opener then the gate stays locked even tho the FOB has the correct access code.

this is why belgian ID card reading drivers are made by the government

My trusty ACR122U is always packed with my laptop when I'm on vacation :D Most of the card readers are just connected to "psychologically" give a false sense of security, nine out of ten times they aren't even securely wired!

This is exactly why we need open source drivers period.

Won't meet a decent cyber security analyst with a "smart home" to run everything.

Great video. So true. This can be a major attack point, especially in Pubic or private institutions.

I’ve never used a smartcard in the last few years that doesn’t use private key authentication. I’m sure they still exist, maybe Europe has different standards than the US, but once the card uses a private key, there habe to be multiple exchanges between the “reader” and the card for something to unlock, and the traffic is safe from a replay attack AFAIK.

I feel like if a weird creepy guy with too many bags was pretending to make a phone call next to the card reader I would wait for him to leave or try to make things awkward so that he leaves.

Aren't cards using NFC technology basically? The machine makes a small magnetic field around it, 10 cm range, so due to the electromagnetism the card becomes an antenna which sends the data back to the reader?

Nice modern rogue cameo

Don't most Dell laptops have a smart card reader installed if they require physical MFA?

we need the government to look at every item sold and look at every single person that buys and sells on Amazon

also having more than one card helps - cross signal protection

Modern rogue footage, hell yeah!

Something I leaned is that windows will go out and get drives for some things if the driver is proper signed. My guess is that when they made that drive it was but now it is not and that's why they had to manually install it.

Yeah, I totally believe that a "hacker" compromised their download page. Nudge, nudge, wink, wink. Pull there other one guvnor.

There are special laptops with card readers built in for people who this would be a major issue for

Smart cards are not vulnerable to replay attacks. They use the algorithm of challenge-response. They have another set of vulnerabilities but not that one.

The first part is about RFID/NFC tech The 2nd part is about Smart-Card tech

you found the ramnit dropper? This is big security news. Ramnit was thought to be dead a while back, but it has appeared wordwide.

How many things get returned to amazon and reshipped.. I have had a nightlight inside of a bulbed shaped security camera box delivered, proving amazon doesn't spend time examining the contents before reshipping. (was a camera shaped like a light bulb that I ordered, but a flashing night light bulb in the box when opened, I had to complain to get the correct camera shipped to me, so amazon just reshipped a return, what's stopping people from tampering with firmware sending items back and seeing who gets the device next?)

I prefer the battering ram method.

Even easier, just walk behind someone who goes into the office building. They will probably hold the door open for you out of politeness.

I dunno if this is off topic much, but I do wonder: Wouldn’t it be arguable that a company Requiring you to install their own, maybe even proprietary, software, just so you can get your job done is actually not reasonably accommodating??

We’re doing 2 factor authentication with our phones. It’s a little annoying that work requires me to use my personal phone, but it seems reasonable secure.

My ThinkPad has a Smartcard reader. And there seems to be some tricks to read out the data anyway I want. Would be great to have this tool with me. I also think there is an RFID reader in that laptop... Which should be able to read some more information.

The company I worked for had smart cards but they supplied laptops that had the readers already installed. I would have figured the government would have done the same.

It is pretty silly companies and agencies will hand out smartcards for better security but then can't be bothered to provide employees and contractors with a reader and rfid blocking wallet.

I encountered something similar getting drivers for an old fujitsu laptop, I used the (supposedly) official fujitsu support page, but after downloading one installer, even windows defender detected a trojan in the driver.

"curbs on security " 😂🤣😂🤣😂🤣😂🤣😂

Using Linux full time messed me up. In one case I complacently forget to go manufacturers website to download drivers in Windows.

Excellent video 👌🏻🔥 love the demonstration clips you got, I make videos sometimes and getting footage online like that takes a lot of work😂 keep it up man 💪

One does not simply buy CAC hardware from amazon for an ATO'd system.

When I had to use smart card at work, we were given laptops with smart card readers.

Badge cards typically must be used in very specific manners the closer they work with government controlled data, such as PII, PHI, or official data. Though if a company isn't having this enforced on them it's pretty typical that they will use whatever. You'd think banks in particular would take more care to protect their cards for example, but it seems that rfid chips in cards are quite compatible with thief scanners.

Oof, I was in the Army and never knew about sus drivers... fortunately I bought mine at AAFES and needed no additional drivers but I did need all sorts of security protocols.

Now those cc reader signal blocker sleeves finally have a purpose😆