Cyber Criminals at the Beach Ft. Rich Latulip

Andrew:

Terrific. Terrific. David, thank you and, Rich, thank you for coming on. So today we have Rich Latulip, who is someone that I've worked with for a long time in both of our prior lives. Rich is currently at Resolve IT, but back many years ago now was a Secret Service agent and one focused on cyber crime investigation. The thing that's interesting about Rich is he's done a lot of undercover work. When you think about hacking cases and cybersecurity, you think about undercover work, you typically are thinking of somebody who is just online with a different email address or a different handle pretending to be someone else.

The interesting thing is that Rich has actually been in the field doing undercover work face-to-face with actual people, which is I think pretty rare and very cool and exciting. He's been out of the service for some time now, not too long, but in the private sector helping organizations with their cybersecurity. So I think we've got quite a lot of different interesting areas to talk about. With that said, Rich, it's great to have you on the show. How you're doing today.

Rich:

So no, I just want to say first before we start, thank you guys for inviting me on to Decrypted Unscripted. It's great to be here, and I do appreciate the opportunity, guys, to speak to you about what I've been able to accomplish during my career and then, of course, post-career as well working in private industry and being able to take the knowledge, experience, expertise, and transform that into real world protection for at times when we look at it, the one side, which I did quite a bit was looking at the companies who had been victims at one point in time and making sure that we were finding the advanced persistent threat who caused the damages to those corporations, and now I'm able to turn the tables and say, "Hey, let me help that corporation and prevent them from being a headline or from becoming a victim and losing intellectual property and having to answer those questions to the regulatory committees or law enforcement or their consumers.

So this is where I've turned that corner to be able to help, but we rewind, obviously, the time that we spent together, Andrew and I, working a lot of cases and diving deep into that cyber underground or the dark underbelly as a lot of people like to say of the internet. So we did a lot of work in that realm, and I was able to accomplish quite a bit. So great to be here guys. Thank you very much.

David:

That's wonderful. Rich, we always like to start out just really with the background of our guests, literally just where you were born, where you grew up, how you found yourself in the Secret Service, and why you have a jersey of Joe Montana in the background, the whole thing, but if you just tell us a little bit about yourself and, obviously, what led you to do what you did with the Secret Service there.

Rich:

Yeah. It's always funny because a lot of people I talk to, they always say that we don't need to hear the day that you were born till the day that you are here present. That takes too long. So it's almost as if I was born, of course, I tripped and fell, woke up, and there I was in the Secret Service and now I've retired. Everything goes by so very quickly and it's like a snap of the finger. So it's pretty interesting, but it was interesting for me as well.

I went to the university, and during that time, there was always a conversation of what will you do, what won't you do, and stuff like this. So I was always focused on law enforcement, but I wanted to have the impact, which would be a little bit larger, at least in my own mind at that time. You learn a lot after you actually do it, but at the time I thought, "Well, federal law enforcement would give me an opportunity to be able to have a larger impact not just in the local community, but more for the United States." So Secret Service was attractive to me at the beginning because there was a dual mission.

I appreciated that a little bit of switching up what you were doing on a day-to-day basis. One day doing investigations, the next day you might be protecting the president of the United States or another foreign dignitary who happens to be coming into the United States for whatever it is, a conference, United Nations, what have you, but those were things that attracted me to that organization.

So I tried to create a career path or at least an education path that would be able to put me on track in order to accomplish that goal. So as opposed to pivoting to, say, a local or state law enforcement agency or organization, I looked at the border patrol as my first stop. I was there for about two years and then pivoted into the US Secret Service. There I stayed till the remainder until I retired, which was total of 25 years, but 23 of that was spent with the United States Secret Service.

So that was what I at least envisioned as a young man trying to get into an organization. Of course, interestingly, I thought criminal justice would be the best path to take. Now, I think when I talk to young people who are interested in trying to pursue the same career path, I let them know that, at least in my opinion, I feel like an English degree or speech communications degree or a different type of degree would make you more well-suited because unless you plan on doing a full until you're 57 in the Secret Service or any federal agency for that matter that's a gun-carrying organization, you may end up in another career, and English, you write a lot, and you prepare a lot of documents, that gives you a great start to be able to do those types of things.

I know that my first reports that I wrote when I had a senior special agent look at those documents, I would get them back and they would look blood red from all the ink and all the corrections. So that was another reason because we're expected to write documents that are going to go before attorneys, that are going to go before judges. You're going to have juries. To be able to speak properly, to write properly, those are all presentation facts that you need in order to be successful. So my recommendations now is those type of degrees that can better prepare you to write those legal process documents not just for your local jurisdictions, but sometimes for others.

I had that fortunate opportunity doing cybersecurity for the United States Secret Service traveling not just in my home district, but going elsewhere writing legal process and working with attorneys. So there's an expectation that you're able to write these documents in a professional format and be able to quickly engage, get those documents before either the magistrate judge or grand jury so that you can move forward those cases. So that's how I at least looked at things and prepared myself.

Of course, at the end of my career was now an opportunity to do the same thing where I had to now determine what is it that I needed to do to better prepare myself, and that's why I went forward and looked at the best practices. You start looking at regulatory, you start looking at what do you need to be successful post-career. I had that cybersecurity background, but how would the industry look at me just coming from the United States Secret Service? So I went forward and got advanced certifications, built up my resume in that regard so that I can prove that I'm not coming just from someone that may be investigated a high profile crime or two, but I also have proven I'm able to understand the various security frameworks, the ideology of implementing a strategy, working with organizations, partnering with key leaders, and really get to have that chance to make sure that the company understands the importance of cybersecurity and how to protect their network and how to be able to be more resilient from that advanced persistent threat who may be trying to steal the intellectual property.

David:

How did you become involved in the cybersecurity and then how did you become an undercover agent? For want of a better word, that's what you were.

Rich:

Yeah, that was an interesting part as well. So I do remember there was, and this is rewinding the clock back to 2002-2003 timeframe. So I was just doing a lot of financial crimes investigations. I was actually attached to our regional fraud task force where I was leading that effort for the San Diego field office. During that time, our forensics program was just getting launched. So we were working with EnCase. I think it was even 2.0 at that time. So this is turning the way back clock and going a little bit pre where they currently are as a company or an organization.

So I stayed away from it. I was just doing financial crimes. I was submitting documents or I was submitting pieces of digital evidence for review, and I was getting reports back, and the reports that were getting back just didn't make any sense to me. I got no explanation as to what it was. It was just "You asked for this, you got that. You gave me a keyword, here's your keyword." So it was oftentimes because, again, there's no explanation, they didn't say, "Well, this is unallocated space. So there's no real format to it. You're going to see it with a lot of stuff that means nothing, but then here's something that's a keyword and you need to be able to maybe go further."

Well, I didn't like the reporting formats that I was getting, and I also didn't like the fact that sometimes they didn't go further. If I search on a keyword and then I get a return, I can actually be an investigator at that point and be able to find more and produce more for the agents. So you can take the original lists and then expand upon that list and then provide the agent a lot more useful data or information that they can go after, and then also being able to put it in a format that's a lot more readable as opposed to just capturing a large group of data, putting it in a text file and shooting that out to somebody, narrow it down to what they're more interested in.

So that was probably of a driving factor for me is to get into forensics so that I can start producing a better product for those people who might be the consumers. So your consumers at that time would be any agent that would be investigating a criminal matter. Most criminal matters at this time were were all going digital. There was computer almost involved in everything. I joked at times about financial crimes and computer crimes. It's really just computer crimes are financial crimes, just using a computer in order to do what you were trying to do.

When we first started doing this, you would've the Mips VersaCheck program, where people were printing off checks from their computers. You'd get a roll of checks, you would print that out because you would do a dumpster dive so you would get the ABA number and you would also get the banking account number, and you'd have your opportunity to print as many checks as you wanted to. So we see computers being used. We saw it being used often in counterfeiting of US currency. So there was a big need to be involved in that space.

So in 2003, I started the journey in computer forensics. By the end of 2003, beginning of 2004 is when I ended up graduating that program. That was about the time that Operation Firewall with the United States Secret Service was ending as well, where they were doing search warrants, they were making arrests, and they were looking for people who might want to join that. I stayed away at the time because I was like, "You know what? I've got more than enough to do in San Diego and I don't need to go and start diving into other districts and start doing cases elsewhere because I already am up to my eyeballs and doing casework in San Diego."

So I deferred not to help then, but unbeknownst to me, I would quickly stumble across a very high profile person in the San Diego area who was in that underground world who had been doing a significant amount of business. He was running a very large or operation, making very significant profits, and he was not just on the radar of the Secret Service, but he was on the radar of other organizations because he was doing pretty much everything. It was also a little bit of dabbling in the sale of drugs. It was the dabbling of in the world of gambling. It was in the world of also the cyber crime, and running such a large organization, we decided to go after and focus and target the person. He was originally probably, and this is a little his story that I'm mixing into this, but he started off in a case locally where we didn't go further than we should have. We should have gone a lot further, but he was skimming at local restaurants. So his journey was interesting as well because he went from skimming and putting himself at probably the forefront of risk.

David:

Sorry to interrupt. Can you explain to our audience what skimming is?

Rich:

Yes. Skimming is when you have an opportunity, a person will present a credit card to you and there's a electronic device. It looks like a ... It's often very small card reader, if you will. So you would take a credit card and you would swipe that through the magnetic stripe reader. That reader would be able to capture the data. Most credit cards have three tracks. So it's track one, track two, track three. Tracks one and two are often used by the credit card industry in order to do the necessary encoding to process that credit card. Track three is often used by the hotel industry so they can use that to get into maybe your credit. You'd use that to get into a hotel room. It usually just not a lot of data on that track three, but tracks one and two were very important for the credit card industry.

That would be all captured by this card reader, and then you would be able to later plug it into your computer. Then with a simple program, you can look at that data. You can then manipulate the data. So for example, if I wanted to change it from my name Richard Latulip to any name in the world, I can do that. Then all now I needed was to get counterfeit credit cards or they would call it online plastic. I would get that and then I would be able to emboss it. So they sold all this stuff, by the way, if you knew the right people. I can get in that more a little bit later, but that was where I ended up being as well.

If I just backtrack just a little bit in terms of how you got started, skimming originally, but then there was a person up in the LA area operating a store called You Buy We Rush. Unbeknownst at the time, they went up there and wanted to buy the latest and greatest skimming device, and that was where the person introduced them to the underground world and also moving yourself away from that, very risky part, not skimming at local restaurants or at local shops that accept credit cards, but now being able to go online into a digital world where you create a pseudo name. Online nix is what they usually call them, and then you would partner up with people sometimes in locations you may never have heard of where you're asking to purchase track data.

They would call this a dump online. So each dump equaled one track. So you would get the track two. Sometimes you'd get track one and two. It depended on what was within their holdings, but you would be online. You would meet these individuals, and then you would have to complete the deal or the transaction. Often, that was a unique proposition for people because if it's you and I standing across from each other, at least in our world, we can look at each other and there's some level of trust, but if you can imagine giving you a name that you've never heard of, nor do you know how to enunciate, and then tell you a city that you don't even know where it's located, maybe you understand where that country is, but that city, it's not usually or often the main city.

So now, you're asked to be able to send cash in its entirety. So if you want one track, maybe it's $20, maybe it's $50, it just depends on whether you're getting a business card, a gold card or a classic card. So you send the money via Western Union or MoneyGram, and they would pick up the money, and now you're trusting that you would send 200, 300, 400, 500 or $5,000 and you're trusting that that person on the other end would pick up that money and turn around and sell you or send you that product via email.

So in 2003 and 2004, that was putting a lot of trust. So it was really hard to get people to start doing this, but of course, good news is word of mouth travels very quickly. These forums were able to gain a foothold into that world. Also, it almost ... I remember in 2008 when people had asked me, "How do you know what forums to go to?" and I would just say, "Google it," and you were able to Google the forums. Now, security or opportunity is much different than it was back in 2008 and 2009. Here in 2023, it's completely different, but that was how you did it back in that day if you didn't know how to start.

Then of course, if you're just an entrepreneur, you probably already had the other data that you needed, and all you really needed to do at that time is to get an ICQ handle and create a name. And you had that layer of anonymity, and if you were even more, let's just say forward thinking, you would get other people to send your MoneyGrams or your Western unions. I know that on the other side of the world, the people accepting it, they already had this thought out, but even it was still interesting because ... So the case locally for me, we ended up moving forward on that case and making the arrests and debriefing the suspects and then being able to understand the complexity and the globalness of that case.

We were then looking at it from another lens of saying, "How is it that we move this into something that's worthwhile?" Well, our main suspect, who was the person who communicated online with these various pseudonyms, he was just fresh from a travel to the far east where he met several of these people. So that put it into another light for me where I said, "Okay. Here's an opportunity because we have an individual who proves that you can travel internationally and physically meet with these targets," and in San Diego at least in terms of our direction from the local United States Attorney's office, they had no interest indicting people who they knew the odds of arresting were very slim, often to none, slim to none. Slim just left town as well, and they also wanted to know the name. They wanted to know the real name.

We didn't want to just say ... You can use my online handle. I had many of them, but if you just used that and said, "Okay. We're going to indict that online handle and we're going to then hope one day we can put a name to it," that's not what they wanted to do. So we had to make sure that we had concrete evidence that would be able to say that this individual that we're saying is this pseudo name online is this real world. Funny enough as we started to be able to build our cases, you would look at the infancy of anyone's criminal opportunities. They made mistakes just like anyone else. Maturity is a lesson, sometimes hard learned, but these people learned this over time.

They switched pseudo names. They've reinvented themselves often, and as they reinvented themselves, they tried to distance themselves from the old pseudo names that may have had the breadcrumbs that we needed to use in order to identify those individuals and then later arrest them in indictments.

Now, all of that's great, we've got you arrested, you're indicted, but often, these persons that are of great interest to us are working in countries that are non-extraditable. So now we have to start gaining a foothold into our mutual legal assistance treaty programs with our Office of International Affairs. This means often partnering with foreign law enforcement or even foreign government because, quite frankly, we have to go through that process working through the Ministry of Foreign Affairs using the red notices. So all of that then now is an extra layer of bureaucracy that we need to go through in order to start even that hope of being able to arrest that person. If they're in these countries that don't necessarily participate in the programs, we run into the other problem in life of we know where they are, we know where they're operating, but we can't touch them because they're in a country that doesn't cooperate or collaborate with that program with the United States. You can still be in the program, but you can just say, "Hey, the United States is not a country that we're going to extradite a citizen to."

So that led to the next problem whereas we've got the indictments, we've got the red notices, and the fingers crossed that they would travel outside of the country that's not extraditable to a country that would be extraditable. So that weight could be a long weight at times, but getting ahead of myself in terms of a lot of where I was in this whole world of underground economy, undercover activity and work.

Andrew:

So that's fascinating, Rich. I think you did a really nice job of laying out all the issues that are relevant to these operations, especially attribution, figuring out who was behind the nickname for the hacker that you're looking at. What was it like for you, and as I said before, and as you alluded to in your situation, you've had some opportunities to actually be face-to-face with some of these individuals to be able to get that evidence, to be able to get that information, and I don't want you to share anything that you can't share, but what was that like for you? Could you give us a snippet of a day or an anecdote or something to give us a sense of what that might have been like? Again, only within your level of comfort.

Rich:

So for a period of time, I worked as a diplomat in Estonia. When I would say Secret Service, everyone thought it was CIA and I had to correct them and said, "Look, I'm not the CIA. I'm a Secret Service. We are a law enforcement agency that works within the public realm." So any indictment that I put forward has to have ... We need to achieve a level of probable cause. That means that I cannot hide behind secrecy. I cannot hide behind a cloak of anonymity. I have to at one point in time testify before a grand jury or testify in court if I need to, and I have testified in court. So there is probably more that I can share, and a lot of the persons that I would be speaking of today are indicted. It's probably pretty well-known public in information at this time.

They still may be wanted for one thing or another, but it's not like they don't know that they're not wanted. So I'm not necessarily going to divulge any secrets per se, and I won't talk about anything that goes into the other realm of secrets and not secrets that one might think of, but just law enforcement sensitive data really is what I mean by saying that. We just don't want people to know that they've indicted because it would not necessarily encourage them to travel outside of the country. So we won't speak about that. Quite frankly, I'm not involved in that anymore. So I don't live in that world. So I'd be completely out-of-date. So I'm going to only be speaking about things that have happened 12 years ago.

For me, it's comical. You watch the movies. You see ... Maybe Donnie Brasco is something that you watched and it's very exciting, it's very cool, and a lot of people are drawn to that. It's really exciting when you think about it, but I can only tell you that I was buried up to my eyeballs and paperwork, and that part of the whole thing was not very sexy, whatsoever. I had meetings after meetings and documents that I had to prepare after documents. There was a lot of logistics in terms of planning, but let's cut aside the 95% of my life and say that that 95%, which was buried in paperwork or just logistics and get down to the brass tacks of it all.

The working online and undercover operations, they were obviously very attractive. It drew even me into it in that world where at times you're talking to these people at it could be 1:00 in the morning or 2:00 in the morning or any hour of the night. So the whole idea, for me at least, was to get online, to talk to these individuals, to be able to build up rapport, and then to try to move it to the next world. So our goal, as I mentioned before, was getting the real world name, the attributions that we would need. So it was moving digital world into the real world.

So like all other operations, we started online. We started talking to everybody, but because maybe it was my way I spoke to people, maybe it was the way I presented myself to people or it was a lot of luck, but within two months, we had our first undercover meeting opportunity. So that moved into gears, the, "Okay. How do we tie back everything to where we currently sit?" We need to have venue in our district over that individual. So we set up online or methodology in terms of working with that person where we started, whatever it was, criminally together online in San Diego, and we concluded that in the location in which we met.

So when we worked everything together, we figured out how to do that. So it was buying a hundred pieces of plastic, which was the fully embossed credit cards with the track data on the backside of it. We worked out the entire detail. I provided the track data along with the names of everyone that I wanted these credit cards in Boston, and then I traveled internationally. I met with these guys. Now, our first operation was a complete debacle where I had so many guardrails set up around me that I couldn't even really operate as a normal person. You can imagine traveled from the United States to the far East, and those are not short flights, by the way, and I was limited by our own processes to four to five-hour meetings. You couldn't leave the location where you first met.

So here I am, a high profile person sitting across from me in a bar. They're interested in going to eat, and I have to figure out a way to say no like, "Hey, I'm cool. Just sitting here in this bar. I don't need to go anywhere and I don't want to go anywhere. I'm happy as can be," and they're sitting there, "Well, don't you want to see? I can show you these places within the city and we can check things out." I'm like, "No, dude, I'm cool. I only got four hours and I'm off."

So very frustrating. We did meet. We met with three. Well, it was three. It was two different people at that time. So we met with two different people and then we found out there was drama online between those two people. So then I needed to make sure I had separate meetings between we didn't want their paths to cross and see each other. So now we're trying to play this game of you stay over here and I'm going to stay over there, so to speak. So we separated it by days as opposed to one after the other. It was the same guardrails, couldn't leave, it had to be a four-hour meeting.

I know there was another situation that caused a lot of stress as well because where we had gone to, they actually had a magnetometer that you had to pass through. This was for my safety and for everyone else's concern because if I'm passing through the magnetometer, then everyone else would, so to speak, but then again, you never know the level of how the magnetometer operators are working it. So it could have been a false sense of security, but whatever. We got past that very quickly, but you couldn't bring bags into this place where we were at.

So I had a bag and I had a laptop computer in that bag. Of course, you could imagine the outside team sending me a message saying, "Hey, by the way, he's two minutes out." Then I get a text message saying that he's two minutes out. So correlated pretty good. So we had eyes on and I had also communication directly with him, and then all of a sudden, my boss calls me and say, "Hey, you have to ditch the computer," and I said, "Why?" Because this was a gift for the person I was meeting. I was gifting it to him.

"Why am I getting rid of this computer? He knows I have it. He's expecting it. What am I going to do?"

He said, "Well, where you're at doesn't allow bags, and so you wouldn't have normally been able to get that bag through so that the person can have it."

I said, "Well, look. I'm here. I have the bag. He's literally walking through the door. We're going to deal with it. I'm just going to deal with it."

Everyone does their job differently and sometimes they're successful and sometimes they're not. We're just going to go off that, "I'm a dumb American. I have no clue. Here's the bag. Here's your computer. Take it. It's your gift." So it worked perfectly, but if you can imagine trying to make a lot of stress for you right before you're about to say hello to someone you've never met before, that could be one way of being able to create a stressful situation.

So luckily, I have a little bit of that personality where I was able to just let it roll off, but this is what you also had to be able to overcome is not that natural nervousness or the fear of getting caught or, "Does this person know who I am?" Typically in law enforcement when we do surveillances, our biggest concern when we're looking at the bad guy and observing him from afar is, "Oh, am I burnt? Does he know I'm here? He's got me. He knows who I am," and stuff like this. So that was not an easy situation to be in, but luckily for me, everything did go well.

Now, there was fallout from everything. We did find out afterwards when we left through other people. So that was another trick that I did. Everyone also noticed that, "What board are you on? Where do you operate?" I wasn't part of any of the boards. I didn't necessarily go on the forums. I didn't talk to the bad guys. I didn't get in into the drama. Everything that I did and built up in terms of my network was word of mouth, recommendations from one person to the next.

So we started small with about five to six people, and we ended up growing to about 50 to 60 people as connections that I had within that underground community, but I did this almost all or exclusively just by word of mouth and meeting people and growing that network. So it was very successful in that regard.

So the fallout from that meeting was Rich was a boring dude. He didn't do anything. He didn't go anywhere. Very lame, so to speak. So when I was trying now to get other people to meet with me, that was now another thing I had to overcome. Why would I travel to meet you anywhere in the world if all you're going to do is just say hello and see you later? So now it was going back to the drawing board, using this as basically the baton, if you will, to beat it into people. We cannot just be this very inflexible, boring, lame individual because, quite frankly, if you sit in the corner reading a newspaper in a party, no one's going to talk to you, and more than likely, no one's going to invite you to the next party. So there's your problem.

Andrew:

You needed to be able to secure the ability to party so that you can have the credibility that you really need out there. That's crazy.

Rich:

Yeah, and make no mistake about it. With the party and came the business. They were held hand in hand. There was another thing that I had talked to people about all the time. I said I can be the most charming person in the world, I could be the most hysterical, funny, whatever, it doesn't make a difference, but you still need to conduct business. So another hurdle that we had to come over, which was internal. to the Secret Service is, "Well, we made one deal. Why do we have to do another deal? We have all the criminal actions that we need against this person." Well, one, you want to show the magnitude of the case that this guy is not just a one and done kind of person, that he has a pension for doing things like this. So we can argue that we can do one, two, or three deals, but now, this was an undercover operation that lasted almost three years.

So some of these individuals I had to deal with for that entire period of time. As we kept learning when we didn't do deals with anybody, they slowly stopped talking to me. Why? Because the people that I'm talking to have clients that are also pining for their time, asking for them to talk, trying to build that relationship, get better deals, if you will, on the products that they're buying. I was in that same boat. So if all I was doing was strategic buying every so often, I was losing the foothold or the attractiveness because, yes, it was interesting talking to me, but we don't do business. So we're not going to do business, then there's no point in me continuing talking to you. They've got better things to do. So this was another lessons learned, whereas that we can't stop doing business with these people because if we stop doing business with them, then there's no reason for them to actually talk with me.

David:

I read that interview you did with Dimitri. Dimitri's on our show too. The funny thing that you said reminded me of some other man that deal with this that you had to meet these people at beach resorts because that's where they want to go. They don't want to go to the museum, and then they started giving you grief because you're going to all these great resorts, and then-

Rich:

That's a story within its itself because as with anything, there's internal politics. I told you that we're talking about the 5% of my life that was cool, that was fun, that was enjoyable. The 95% is the logistics and the working the back channel, sitting on the phone with headquarters, writing the reports. So some of my reports, by the way, were over 150 pages in length because there was just so much activity that was happening. Imagine talking to 10 people a day and then having to write up those conversations and being able to say, "Hey, this is what happened. This is what transpired. This was what's important that came out of those conversations," and then having to brief people about those conversations.

Well, this was an embassy. Well, there was a couple of things that were playing into this whole world of things is we had to look at who the person was and where they live currently, and what restrictions that they had for them in terms of travel. Just because you want to go somewhere doesn't mean that you can go somewhere. In the United States, we have it fairly easy because we can get a visa and we can go most places in the US or not US, I'm sorry, globally without much problems. Maybe if you want to get a visa for Russia, you've got to pay a little bit of money or maybe you want to get a visa for another country, you have to pay a little bit of money, but that's not applicable to every country in the globe. They have to go through more steps. They have to prove an income. They have to prove that they're going to return to their home country, that they're not going to stay beyond the visa or beyond the visitation, if you will. So we had to make sure that, A, the person can go to that location and, B, that they wanted to go to that location.

So as much as I may want someone to come to Boise, Idaho because it's easier for me to arrest the person, it's a very boring location in terms of a foreign looking in. Maybe they would want to go to Vegas, maybe they would want to go to Miami or maybe they would want to go to New York, but then can they go to New York? That would be the problem that we would run into. So this now meant we had to look outside the United States and we had to go globally. So we looked for locations that would be attractive. So that was the same concept. No one wants to go to Siberia in summer. They're going to want to go to the place that's a fun destination or, for example, another thing is you live in Siberia, but you want to get to that hot, nice beach location.

So I ran into a problem where now the politics internally was you're guiding these conversations so that people are going to these very nice resorts, so that you can go find whatever. So then we picked a random city in a country that was not on a beach, was in, if you will, landlocked, not able for you to get to a beach, it would be more just a touristy opportunity to socialize, take advantage of the other activities that were offered. Then of course, the question I got is, "Why do you want to go to such a horrible location?" I can't win. I pick a nice destination, you don't want to go there, and I pick a bad destination and then it's like, "Why would you go?" So it was a no win situation for me at times. So that was another challenge of working that, but nonetheless, a lot of enjoyment as well because of what I was able to accomplish.

Andrew:

The one thing I remember, Rich, you mentioned this before, your ability to stay cool and how that's useful to you. I think it truly is an ability. The one story I remember is we had a big take down for an indictment that we were working on together. Rich, I don't know if you recall this. Typically what happens when we do this is the prosecutors annoy the agents that are actually making sure that the searches are going to happen, that the subjects are on the right place for arrest day. So by tradition, we were doing that and we wanted to make sure that one of our targets was flying in and we had to go through a whole rigamarole around that as well, was actually in country so that all the arrests could happen at the same time. So we asked Rich, who was monitoring the situation, "Rich, can you send us confirmation that our subject, our defendant is in town?"

He sends us a picture and it's literally, you could see the pores on this guy's face. We were all panicked like, "Rich is definitely burned." I'm like, "Guys, I know Rich for a long time. He's totally fine. He could have sent us a selfie with the two of them and everything would've been under control," and it was, which to your credit, you definitely had the ability to adapt to all of these situations and to remain calm and to maintain your credibility. So that's something that I remember from our experiences being just one of the tremendous things to watch in you doing your work.

Rich:

No. I remember that the phone calls of, "You've got to get back. You can't get that close. You can't do this." You can't ..." I remember the phone calls. Again, that was what I was talking about before is inherently as law enforcement, we have this concern of always being burnt. So if I'm too close, then I'm burnt. If I'm doing this, I'm burnt. I think this was also one of those times where just looking around and just doing your observations. Everyone has a cellphone in their hand. Most people aren't even paying attention to the world and even what's around them. So it was very easy to just play a lost soul or someone who's trying to get a signal. We're speaking on a voice, but if you can imagine if you're standing there holding your cellphone up in the air and you're turning left and trying to get a signal. If I turn left, the signal's going to come in better to the right as in to the left, but you can imagine people doing that and they still do that today. It's like, "I can't get any signal, so I'm going to pick my phone up and raise it above my head. Oh, look, there's the signal. Now I found it. It just happened to be above me, not where I am at, my level."

So just sitting there and thinking the same thing like, "Okay. I could be any person that's looking at a map, trying to find my Uber, trying to do ..." Who knows what it is that you're trying to do, but just as what I was doing was just taking the photos with the cameras. I think also I remember going into the business as well like, "Why did you go into the business?" Well, because it's a business and you go into businesses and these are just the things you do.

Andrew:

That's funny.

David:

Well, I've heard that story about you having to party all night with somebody. I can't remember where the resort was, but you had to empty the mini bar, and you know what I mean? I don't know how you did it.

Andrew:

That's what generates all the paperwork, by the way.

David:

Oh, is that right?

Andrew:

Some of it maybe.

Rich:

Those stories were interesting as well because the person I was with oftentimes, they would go back, they would go to sleep. I would've to go do a debriefing. I would remember that the supervisors would all often say, "You've been up all night. You've been ..." whether it's been at a nightclub or ... In this particular situation that you're referring to, that was actually in the hotel room with the target. That's a story in its own right because one that I've told in terms of giving presentations about the operation and saying, "How is it that you operate or what is it that you do?" So remaining calm or being able to work in a fluid situation that's developing and sometimes devolving.

So this particular day was interesting because we're waiting again for their arrival. So as we're waiting for the arrival, of course the general nervousness of, "He's not coming. They're not going to show up. You've been left high and dry. Calm down. It's okay. Things happen. Flights are delayed," any number of reasons why someone is not where they said they should be at the particular moment in time that they claimed to be, but I had already left a message saying what room I was in. We were all in the same hotel anyway, so it's not like they didn't know or they wouldn't know. More importantly, I wanted to let them know the room I was in because the last thing I really wanted them to do was just go to the front desk and start asking questions of what room you possibly could be in and not knowing whether the front desk would keep that information to themselves or they would hand it out. So I gave out my room number.

So we're waiting and waiting and they're supposed to be here and it's already about 9:00 in the evening or 9:00 PM in the evening. So a knock at the door not knowing who it is. So I answer the door and there they are standing on the other side with a bottle of vodka, "Hey, we're here. We made it," and I'm like, "Oh, shit. That's great. Hey, [inaudible 00:43:37] You're here." Didn't know that so I couldn't tell the team right away. So nonetheless, they're here and they were hungry. So we went downstairs to the lobby restaurant and had dinner and had some drinks while we were there.

So I sent the text messages and let people know, "Hey, everything is going well. The person is here and we're meeting and we're still in the hotel." So we're hanging out in the hotel. This, by the way, is when you can actually go places. I didn't have to have that restriction of staying in one location and not being able to move left or right. I can go pretty much freedom of travel wherever I can go. So we went downstairs, we had dinner. Thinking that the person just arrived, they're probably going to be tired and the night would end, but they invited me up to the room, "Hey, let's go up to the room and have some drinks afterwards."

So I'm like, "Okay. Well, that's a good opportunity to go see your room." So we walked up to their room and hung out in the room. So in the room, they showed me a couple of things. This guy had a counterfeit Interpol badge that he carried with him to claim that he was something that he wasn't. He told me how one of his problems was why he was delayed. He put $3,000 cash in his bag that he checked, and for whatever reason, the $3,000 wasn't there anymore. I was like, "Duh, why would you put $3,000 cash in your check bag?" Really not smart. Anyways, so that was something as well.

Anyways, now we're busting into the bottles of vodka and we're also busting into the mini bar as well. So we're now drinking. We're on the patio. We're having a good time. So as the things, as we're drinking and as we're doing stuff, he asks me a question and I give an answer, and the answer wasn't aligning to what I had told him previously. So he called me out on it. He said, "Hey, look, when we've been talking online, you told me you didn't have any siblings." So now here I am caught red handed. Two different ways in which you can operate in this particular moment in time. One, you can get very nervous and start mumbling around trying to do whatever it is that you would do. So what I ended up doing was pivoting in the other direction and just basically looking him straight in the eye and saying, "Yeah, of course, I lied to you. I never told you the truth when we were talking online. Why would I tell you the truth? I don't even know who you are. So now we're sitting face to face to each other, now we know each other, we're drinking together. Now you can know more about who I am and what I do. So this is a different level."

He looked back a little bit, raised his eyebrow, was understanding he did the same stuff online. Your online world is nothing but lies, and we all know this because we investigate those cases where you can be whatever you want to be. If you want to be a dragon online, you can be a dragon online. So this is how this world operated at that time. So really interesting, but again, it raises those little hairs on the back of your neck because you've been called out. Now you're being challenged it. How is it that you react very well and can tell the story of if you survive through it? Maybe there was no threat to my life per se, but my undercover life of continuing to work in an undercover capacity could have been jeopardized very easily and I'd get called out as a rat or I'd get called out as who knows what, but it survived that test. Obviously, the relationship grew and we met in other locations and continued our work together.

David:

I got to ask, Andrew, you probably know all this stuff, but what happens, Rich, when they finally get arrested, they find out that you've been posing as someone else? What's their reaction? Do you see him and talk to him?

Rich:

So it was actually interesting because when one of the main targets was arrested, I was present. So I was there with them when they were arrested, and I was taken into custody as well. It was trying to keep the whole undercover identity going because we knew that eventually discovery is going to come. Plus, we were looking to do extradition with the country where the person was arrested. So we knew that my life would be limited in terms of working undercover because of the discovery that would be forthcoming, but we would have some time in which we can continue that persona and keep that alive. So the idea was, "Okay. Well, I'll go through a lot of the steps as well in order to make it seem real world, as real world as it can get." So I was there for the interrogations. I was taken away. I was interrogated, so all that good stuff, but now the next step happens is, what do you do? Do you not say anything? Do you run away?

I took the other approach where I said, "You know what? We need to get online and we need to tell everybody what happened because that would be an instinct that you should get," and then the secondary thing is try to raise money for the legal opportunity that they're going to face or that challenge they're going to face. So I was trying to raise money for them and be helpful as possible. So it was interesting, and this dovetails into other stories because we had to gain the trust of people to meet with them face to face. So I do remember meeting with people, and I do remember having those conversations, but this all come together here very shortly.

The idea was one person is going to be vouching for another. That's just the way the world works. That's how I got introduced to all these other individuals is that we would get introduced and then they would say, "Hey, this guy I can trust. I work with him. I know him." So the idea was we go back or I digress a little bit and we go back to that first story. That first story where I was lame and I didn't do much and I was not very cool. So that very first story, the problem that we ran into was no one would want to hang out with me or no one would want to do ... So we went back and started hanging out with these same people. So I knew that the world or the circle that I lived in, that they lived in. So the idea was build up this good relationship, make people want to hang out with you. Now we've met with him once, twice, three times.

So now I had the opportunity where we're in this person's room, his hotel room, and his computer is up and running and I said, "Hey, do you mind if I use your computer really quick because I have to send a message?" Well, his ICQ channel was open. He gave me permission to use the computer and what my goal was to say to another person under that other nick, not my nick, but another nick, saying, "Hey, this is me. I'm on this person's channel right now and we're out hanging out having a great time and partying, girls," and this and that, all the stuff that you can think of. So they're like, "Okay. Well, here. That's cool." So now I can see there's that relationship.

So then the other thing was I leave that, and then now that person I just met sends me a message and says, "Hey, so-and-so was just asking about you, and he asked if you were a cop, and I told him there's no way that you're a cop, that you're cool," and stuff like that. So that all worked together. So after everything happens and everyone gets arrested, no one believed that I was actually a cop.

David:

Wow.

Rich:

Even after people said that, "This guy's a cop." I even interviewed one of the people I met face to face, and I'm sitting there interviewing the person and saying, "Hey, okay, well, do you want to come clean? You want to tell me what's going on? You're going to get extradited to the United States," and so on and so forth. This guy is still lying to me like he's never met me. So I had to remind him, "You do realize that we partied together and what we talked about what we did." He finally slumped over and he's like, "Yeah, I know. I know," but I don't know if people still or don't. I would think that they know now. There's been a lot of things that had been written, a lot of places that I participated in.

Again, I go back to the same thing that I would tell anyone else is during the time that I was working undercover, everything was very sensitive, and of course, we did not want identity to get out, but we know that eventually it will. All those things will end because I'm required to testify and I'm required to present a case against this person. So I think the other thing is at least I hope that there's an appreciation. I worked in law enforcement. That was my job. Everyone else's job that they were doing was to do what they did. So there's where the paths crossed in terms of what you were doing was illegal and that was my job to make sure that people didn't commit crimes against organizations, against the local statutes.

So that is another thing at least that I look at or from I look at. It wasn't something that I was purposely targeting these people just because. I was only going after them because they were doing things that were illegal. Outside of that, most of the people that I met online, they were good people, they were nice people, they were very friendly, they were very genuine. I had no disdain for anybody. You do feel bad as time goes on because you know eventually all good things will end and that there is going to be a culmination of the case.

Now, I still argued against it at that particular moment in time because I felt that we had achieved the highest level of success in an undercover capacity than anyone had ever done at that time. So in the realm of the carting community, and that's all I'm speaking about is the carting community, but in that community, I had achieved that level of success and we were moving to the next level. Whereas you meet one individual and then they often keep everything that's very special to them hidden behind them. They don't want you necessarily knowing that back organization that supports them, but they were starting to start letting me into that world as well, introducing me to friends that were online and offline and being able to start that social opportunity and to gain a bigger foothold.

My argument always was people are going to get arrested and people are going to have to disappear for a period of time, but so long as your identity stays intact, you have an opportunity to continue to build that and to be able to create, let's just say, a higher level of achievements, but everyone was nervous. Everyone was worried about losing at least the opportunity to say, "Well, it was us." You get the banner with the lights around it, "We did it." So there was that, let's just say, the public side of it, the PR of opportunity. No one wanted to miss that, and so this is why the case came to a culmination like it did because there was fear that maybe another agency would arrest our target and that we would lose the fame and the glory of it all.

For me, that wasn't the first thing I was looking at. The first thing I was looking at is in order to really disrupt this online community, you really have to get embedded into that community, and then you can use the data that you're getting in an intelligent manner and start specifically picking people off one by one by one. You may use me as a way to know the credibility or the value of a person, but then you create a secondary case where you don't have to give that discovery and you can actually shield that person, but again, there just wasn't an appetite for it so we ended it. Maybe it was because the campaign was coming and I had a stand post. I don't know, really, but ultimately, that was something that was a battle, believe it or not. It was a battle that I had a fight in the logistics of the whole operation.

David:

That's unbelievable. I don't want to keep you too long, but, Rich, so you're in San Diego. You're a Secret Service agent, and then you're flying to some exotic resort under a different name, a different identity. Is it like James Bond? Are you outfitted with a ... if you can tell. If you can't tell, don't say anything, but are you outfitted with the identity, the passport? How do you get through and how do you explain? How do you buy your ticket? It's just a creating a second life. Go ahead.

Rich:

Those were a lot of challenges that we faced because ... I won't get into that per se, but the challenge of I fly to a foreign destination. When we had these conversations, do you put a wire on? Do we outfit you with a firearm? Do we do whatever it is to make you more safe? I always looked back and said, "Well, what a normal person who's doing what I'm doing end up with that type of stuff?" So anything that you would consider special or unique. So the only thing that was special or unique for me that I carried with me was my undercover cellphone, and just like anyone else in the world, you had to create a story. I had my story with it.

Nice for me is time zones never match up. So my guys, my team of people that were doing criminal work for me always were operating at the time I happen to be overseas somewhere else. So I would be communicating with them and that's why I had to have my cellphone or that would be why I would be distracted, where I would be sending text message, but I was sending text messages to the team that I was working with and letting them know what's the next steps, where are we going, what are we doing, and stuff like that.

To them I would say, "Guys have some questions about some of the cards or whatever, helping them out." I would just make up excuses or who knows. It could even be a girlfriend. Time zones. Again, so I had a lot builtin excuse, but you already had to think about those things and that was even the whole identity of weaving a life together that you won't necessarily be confused. So I made sure that I always used my first name, my real first name because if I didn't use my real first name, my fear would be is they're asking for John and I'm not paying attention. I'm John. I'm supposed to, like anyone else, if I say your name, you turn to attention. Even if they don't say your name and they're talking to someone else but you hear your name you're like, "Oh, who's calling my name?" So the last thing I wanted to do is change my first name and not be responsive if someone was saying my true name. So that was the first and foremost.

The secondary thing was how to create a life that's not truly a life that you can remember. So I mixed a lot of the real world with the fake world. So I would take addresses and I would take maybe the address' first four digits, and then I'd mix it with the different street name or I would take the street name and then change it to court or boulevard. I would move it from one city to the next city and stuff like this. So it was all easy to remember was things of my past. Now, there were some things that I had to remember that were different and that would be unique to the new identity, but it was less than or less complicated than if I tried to create with a whole new background that wasn't already at least embedded in a little bit into my mind.

So that was a little bit of the philosophy, and then beyond that, people asked me about my computer, of how I set up my computer, what defenses did I use, how did I make it impenetrable, and my answer was, "I didn't do anything special to my computer. I let people hack into my computer if they wanted to hack into my computer. I didn't do anything that would be spectacularly different," but what I did do was never use my computer but for anything that wasn't related to my undercover life. I never mixed the two worlds together.

So keeping those separate allowed for that opportunity. If someone was to get in there, they would find criminal stuff, they would find pictures of me. I did this a lot too, where I took pictures of me in places or destinations that I would go and I put that on the computer, but those pictures wouldn't necessarily always incorporate people that were near and dear to the heart, so to speak. It might be other people that just happened to be nearby or whatnot. So seeding that battlefield, so to speak, to make sure that if there was some normalcy to it. Then of course, if it ever did get challenged, my backup was, "That's my work computer that you're looking at. That's not my real computer."

David:

What a story. This is unbelievable. Well, I guess we got to start to bring this to closure. It's really been great talking to you, Rich. We should talk too about what you're doing now and what you see for yourself in the future.

Rich:

So now obviously, what I guess the whole idea was what I spoke about a little bit to Andrew earlier was I've learned a lot, I've understood a lot, I've seen a lot. I have a perspective that's unique to most. Not only have I worked in the law enforcement realm of meeting some companies or some organizations at the worst time of their lives when there has been a compromise or a loss of data and being able to try to help, but of course, my goal at that time was to get the evidence I needed to start targeting the advanced persistent threat who lives online. So there was that opportunity to meet, work with, and develop relationships.

Pivoting over to another side of the Secret Service that we work was critical infrastructure, being able to at least triage critical infrastructure to recommend best practices to better create that cyber resiliency, to make it less of an opportunity for them to get in there and cause damages. Then the other side of meeting with and working with the bad guys as a bad guy, I don't think many people have that background or experience. Then lastly, of course, the opportunity of debriefing the bad guy operating or at least directing the bad guy with the United States Attorney's Office, running informants and continuing those opportunities to arrest other people.

So I think when you culminate all of those skills, at least you present to an organization potentially the skillsets that most people don't have. Then I added onto that by getting the CISSP or the CISM and then adding saying, "Okay. Here's validity to not just what I've learned with the Secret Service over the course of 23 years, but also with working with the industry and being able to understand what frameworks we need to use to better create the resiliency," and then knowing, "Hey, most bad guys, they go after organizations that they don't have a very high threshold."

We always have used this example in law enforcement and others. How well do you protect your own home? Do you have a home that has no doors, that has no windows? Do you have a house that has windows and doors but you don't lock the doors? Every time you add a layer, do we put bars on the outside that only you can open from the inside? Every time we do those extra layers, we create that extra layer of security. Most people are lazy. If they can't have an easy way in, they might defer to go to the next organization. People are scanning ranges of IP addresses and when they scan those ranges, they're looking for those endemic flaws that will make it easy for them to walk through the front door without having to break down many barriers and then they create the persistence that they need so if they lose the access to that front door by a company raising their defenses, it doesn't make a difference to them because their persistence is already there by elevating their privileges and creating the correct accounts.

So the idea is now to take all of that information that I have, knowledge that I have, the experience that I have, and apply that now to an organization to be able to provide at least the risk assessments that they need and then recommend how it is they can better protect their organization. Now, obviously, budgets are always going to play a crucial role. Funding the right amount of manpower and staffing is going to take a role into that whole philosophy or the ideology, but my job, the way at least I look at it today, is I bring forward the risk assessment to the organization. I make the recommendations, and then we plan for and create a strategy in order to create the right layers that will make the company more resilient.

There is no silver bullet here. You're not going to be 100%, but if we can bring it up to a 75%, 80%, 90%. Then also when you look at how many corporations might not be doing the same things or might not be deploying the same technologies, then a bad guy may defer, even though they have let's just say the slightest of toehold onto your organization, to another alternate person because, quite frankly, it's easier and all people are lazy, all people are looking for that quick win, and it's not anything different here in this world that we're speaking about.

So that's the philosophy. It's getting the APT off the street to now making sure a company is protected from that particular threat that will be out there and is ever present and growing, obviously, as we know because there's no lack of news articles, there's no lack of statistics that are bringing forward to whether it's a phishing scam or whether it's a social engineering. Obviously, ransomware is always on everyone's mind and how to prevent the next ransomware. I think the next biggest thing that we always see is, where does the trend go? Ransomware, to be able to at least get you to make that first payment, it could be also a secondary ransomware opportunity on one of your clients, but now they've even extended to blackmail to some extent because we have created a system where there's checks and balances. Is the organization doing the right thing? Is a regulatory agency over watching you, and are they asking, "Do you do the right thing?" and if you are answering yes to all those questions and then we can find out that you haven't been doing the right things with that, we can now turn the tables on you and say, "Well, you don't have to worry about me. If you don't pay this fine to me, then you can expect the regulatory agencies to hammer the heck out of you for the loss of all of this data."

So it's gotten very complicated and I think that organizations need to really be thinking from all these different aspects and understanding everything from not just one lens, but all the different lenses that are going to be looking in and looking out, and then creating the culture within an organization. So I've been in a mature organization already where all the processes were in place, and I'm also currently working with other organizations that you're looking to switch it completely. We go from your startup ideology where there's no policies, there's no procedures to now making sure that we have the policies and procedures and then the culture needs to come next where people have to understand that the policies that you have in place are how your organization is now looking at everything within that organization.

So we have to now make sure people follow your change management procedures. We have to make sure that they are doing the right thing in terms of password management. We're recycling through passwords. We're making sure we're not using the same ones. We're following the complexity rules. We're following the classification rules so that we can start a data loss prevention program. So there's a lot of complexity that goes into this, but as organizations mature, these things have to take into effect and it's a top-down approach. So you get the leadership on board that makes sure that everyone else is on board, and then from there, the culture starts changing. People start thinking more from a security mindset as opposed to, "I just want to get the job done," which everyone wants to, but security oftentimes makes it a little less convenient for people to do their jobs.

Andrew:

You're playing the role in some respects of the people that made you sit and be a boring guy when you were undercover because you have to apply the limitations. It's interesting that you can't be ... Party Rich can't show up to all these meetings, I'm assuming.

Rich:

No, but there's always after hours.

David:

All right. On that note, we probably ought to thank you. Hey, this is phenomenal, Rich. I really, really appreciate your time. We all do, but I feel particularly grateful that Andrew's brought you to our doorstep here. It's really been a great conversation. So thanks so much. Andrew, I'll let you say some words and, Rich.

Andrew:

Similarly, Rich, it's always great to catch up with you. I know that you've had such an interesting career already. I'm excited to see what's next for you in terms of just governance and dealing and being the square now to some degree that it's wonderful to see someone in that space come from a place where not only do you have the technical expertise, but you've actually been in the rooms with all of these folks because a lot of times, there's academic view to security and then the more practical, and to be able to actually bring them both together is incredibly impressive. So thank you for sharing some of your insights, some of your war stories with us today.

Rich:

Yeah, no, I appreciate the opportunity. I always look forward to a chance to reminisce, if you will, or speak about just these different things. By the way, this all comes together as well because this will be used as an opportunity for other corporations to hear a little bit more from two different aspects and be able to say, "Okay. Hey, hey, how can we apply these same thoughts, the same strategy?" Look, this is the whole goal is to make, as a team, everything better and not easy for the APT. That's our goal. That's my goal at least.

David:

Excellent. Well, thanks so much.

Thanks so much for listening to us today.

Andrew:

To support us, please rate, review, and follow us wherever you listen to your podcast. To learn more about the show, head on over to decryptedunscripted.com.