Ethical hacker Jayson E. Street on cybersecurity vulnerabilities and human error

As cyberattacks become more frequent and sophisticated worldwide, the urgency for robust cybersecurity measures has never been greater. In Uzbekistan alone, cyber threats surged by 25-fold in the past year, highlighting the critical need for organizations to fortify their defences. Against this backdrop, Jayson E. Street—a globally recognized ethical hacker—delivered a riveting presentation at the recent Cyber Security Summit in Tashkent, where he shared his insights on the often-overlooked vulnerabilities that make organizations susceptible to attacks.

Street, known for his audacious methods of breaching high-security facilities as part of penetration tests, is no stranger to uncovering the weak spots in an organization’s security. Described by FOX25 Boston as a “notorious hacker” and by National Geographic as a “world-class hacker,” Street’s unconventional approach—he has simulated bank robberies and hacked into government facilities across five continents—offers a chilling reminder of how easily human error can be exploited.

During his interview with Daryo, Street highlighted one of the most common vulnerabilities: misplaced trust. “Once I’m past the first layer, people assume I’m meant to be there,” he explained, noting how attackers exploit human behaviour and social norms. “No one wants to seem rude or question authority,” he said, emphasizing how attackers use this reluctance to their advantage. “The problem is that people don’t want to be rude. If someone comes in and says they’re working on something, employees think it’s their job to help, not to question.”

Street, who prefers to be called a “Hacker, Helper, and Human,” stressed the need for companies to focus on the “three E’s”—educate, empower, and enforce. He explained that employees must be educated on current threats, empowered to question anything suspicious, and supported by policies that enforce these behaviours.

“You need to educate your employees about what kinds of attacks are happening, empower them to challenge unusual situations, and enforce these policies universally,” Street said, emphasizing that effective communication between staff and management is essential for a secure working environment.

Street also demonstrated one of the more alarming tools in a hacker’s arsenal: the “USB Rubber Ducky.” This device mimics a keyboard and executes pre-recorded keystrokes when plugged into a computer, bypassing traditional security measures. He described how this seemingly harmless device can quickly take over a system.

“I can pre-record everything I want to do. Once the USB is plugged in, it mimics a keyboard and types extremely fast, executing commands before the system has time to react,” he explained. Despite the simplicity of this attack, he noted that it remains effective in many organizations that underestimate physical security.

However, Street shared a rare instance where his attack was blocked. “For the first time in over a decade, I encountered a system that detected my fake keyboard and stopped it from running,” he said, praising the organization’s proactive defence. This success story, though uncommon, serves as a reminder that even simple security measures can thwart sophisticated attacks if implemented correctly.

One of the key highlights of the summit was Cyberkent 2, Uzbekistan’s largest cybersecurity competition, which took place on October 9-10 as a sideline event. This high-stakes contest pitted Blue Teams, responsible for defending their virtual infrastructures, against Red Teams, whose goal was to exploit vulnerabilities and gain control of the systems. Cyberkent 2 featured open challenges like CTF Master, Hack ATM, and Hack SmartHome, where participants could test their skills in solving cybersecurity issues, identifying weaknesses in ATM systems, and securing smart home devices. The event drew some of the best cybersecurity talent in Uzbekistan, with cash prizes of up to 10,000,000 UZS for the top teams.

Street was particularly impressed by the competition’s structure. “Most conferences focus only on the red team—breaking into networks—but here, they also highlighted the defensive side, which is just as important,” he remarked. The inclusion of both offensive and defensive strategies in the competition, he said, reflects a balanced approach to cybersecurity that more conferences should adopt.

Beyond the technical aspects, Street emphasized the importance of human vigilance. He recounted a penetration test at a bank where a diligent employee challenged him and refused to let him access her computer, even after he presented himself as an authority figure. “She wasn’t having it. She did everything right,” he said, though he acknowledged that a subsequent miscommunication allowed him to continue the simulated attack.

“Humans are not the weakest link—they’re just the least invested in,” he said, adding that companies need to make security training more accessible and engaging for non-technical staff.

Street also urged organizations to go beyond workplace security by helping employees secure their home networks and personal devices. “If you teach people how to secure their Wi-Fi at home, they will bring that same vigilance to work,” he explained. He argued that by creating a security-conscious mindset in everyday life, employees would be more likely to apply those principles in the workplace.

When asked about Uzbekistan’s cybersecurity landscape, Street expressed optimism. He praised the country’s focus on fostering young talent, particularly through events like the Cyberkent competition, which offered a platform for students and professionals alike to showcase their skills. “Seeing the young people at the robotics championships and CTF competitions today was inspiring,” he said. “They’ve got a path to a positive future in technology.”

He also stressed the importance of diversity in cybersecurity, arguing that different perspectives make for stronger defences. “Diversity doesn’t dilute the system, it strengthens it,” he said, pointing out that people from various backgrounds bring fresh ideas that can help identify vulnerabilities others might miss. He referenced a famous example where soap dispensers failed to recognize darker skin tones because the technology was designed by a homogeneous team, illustrating how limited viewpoints can lead to serious oversights.

As his visit to Uzbekistan draws to a close, Street is looking forward to exploring more of the country and reflecting on the summit’s impact. “I’m not here to make money. I’m here to help people learn,” he said, reaffirming his mission to educate and inspire.