back to article Stealing, scamming, bluffing: El Reg rides along with pen-testing 'red team hackers'

"Go to this McDonald's," Chris Gatford told me. "There's a 'Create Your Taste' burger-builder PC there and you should be able to access the OS. Find that machine, open the command prompt and pretend to do something important. "I'll be watching you." Gatford instructed your reporter to visit the burger barn because he …

  1. Anonymous Coward
    Thumb Up

    Sounds like a story...

    Straight from a James Bond movie...

    Love it !

    1. Destroy All Monsters Silver badge
      Thumb Up

      Re: Sounds like a story...

      Anyone who has grabbed Mitnick's "The Art Of..."

      .... knows the tricks.

      Dones't mean he/she can effectively defend against them.

      Like for real-world viruses, the cell wants to help.

    2. John Smith 19 Gold badge
      Unhappy

      Re: Sounds like a story...Straight from a James Bond movie...

      Actually it sounds like the film "Sneakers" made in 1992.

      The comms have changed a bit. RFID rather than mag tape badges but...

      It seems companies pay as little attention to security and privacy as people on Facebook.

      1. Sgt_Oddball
        Headmaster

        Re: Sounds like a story...Straight from a James Bond movie...

        The irony now being that the magstrips are now more secure... at least you have to physically touch them first.

  2. Will Godfrey Silver badge
    Thumb Up

    Wow!

    Absolutely fascinating, and scary too.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wow!

      Just add Parcour action and you have a Luc Besson movie.

  3. Dabooka

    Top stuff

    Sounds great fun, and reminded me instantly about Sneakers

    I'd love a follow up article based on the report, feedback and implementations of AFIs. Obviously suitably redacted etc, but reading this identifies some of the basics anyway; logins on Post-Its for example.

    1. Reghack Pauli

      Re: Top stuff

      Great idea, I'll run it by Gatford :)

      1. Dabooka
        Thumb Up

        Re: Top stuff

        Marvellous. I think I'm just curious as to how well it's received. It wouldn't be the first time a report is commissioned and the findings are then argued or ignored.

        I see it all the time in my sector!

        1. Anonymous Coward
          Anonymous Coward

          Re: Top stuff

          Depends on who commissioned it. If the CEO is the only one who knows about it, presumably it originated with him or the board of directors. They have less incentive to bury the results than if it originated with someone who would shoulder a lot of the blame, i.e. chief security officer (or equivalent)

          If the CSO originated something like this, thinking "we're so secure, we'll pass with flying colors and when I show it to the CEO, I'll get a raise" and then finds they are woefully deficient, he's probably not going to bring it with the CEO - at least not until he fixes a lot of the stuff so the results look better when compared to the average assessment, or he puts his thumb on the scale by alerting his subordinates of a coming 'attack' for round two.

  4. Robigus
    Pint

    Great article. I'm sure that the same guilt would have enveloped many of us too.

    As you're a beer man, have another.

  5. Pascal Monett Silver badge

    It's a bit disappointing

    Very interesting read, but it is slightly disappointing to learn that actually getting into "secure" areas involves things as simple as not having a responsible answer his phone.

    In my mind, if I do not get confirmation of something from a known authority, you can leave and come do your audit at a later date when I have been notified.

    Everything that happens after that point is just icing on the fail cake. If the guy who knew nothing about the "audit" did his job and did not let anyone past him, the mission would not have gathered any useful information.

    Once in, it is vastly easier to gather data because, by definition, if you're in it's because you've been allowed in so you're authorized and people are naturally going to be helpful.

    1. Version 1.0 Silver badge

      Re: It's a bit disappointing

      It's been years since I did this but I always found that wearing glasses, a lab coat, carrying a clipboard, and asking politely with an Oxford accent would get me into virtually anywhere.

      1. Antron Argaiv Silver badge

        Re: It's a bit disappointing

        A clipboard and a worried look will get you anywhere you want to go. Hard hat optional.

        1. John H Woods Silver badge

          Re: It's a bit disappointing

          It's the synergy of posh and utilitarian that forms the ultimate access blogging combo --- standard English, spectacles and a decent suit on the one hand; hi vis; steel toecaps; hard hat; clipboard or ruggedised laptop on the other.

          An engineering colleague of mine pointed out the delicious irony that struggling with a ladder (and therefore having both hands occupied) will get you ID-free access to a lot of places where, if anything, the guards should be more suspicious of those so equipped!

          1. Shooter

            Re: It's a bit disappointing

            Your colleague may have been thinking of this:

            https://www.youtube.com/watch?v=NiEMcjSQOzg&feature=youtu.be

        2. Dr Dan Holdsworth
          Pirate

          Re: It's a bit disappointing

          Actually you need a little bit more to get anywhere much. For recon outside a building, a suit, hi-vis vest and clip-board work wonders for not alerting the CCTV people (bonus if the hi-vis has an HMRC logo on the back; people will avoid you like the plague then) since interfering with someone who is "obviously" not out to steal or damage and doesn't look like criminal scum isn't generally needed.

          Inside a building, you need to pretend to be a contractor with a legitimate right to be there. That "explains" why you don't know your way around, and "explains" why you're asking funny questions. An audit is a very good thing to pretend to be doing, especially if the audit is of equipment that management think might be going walkies out of the building. That explains why nobody knows about the audit; it was arranged quietly so that the guilty parties wouldn't get tipped off.

          You're aiming to hit that balance of "I have every right to be here" together with "I have authority and will be a truly horrible annoyance if you don't cooperate" together with "apologies for all of this, terribly sorry and I don't like it any more than you do but the money is quite good" etc etc... Affability and politeness together with "just here to do a job" gets you a hell of a long way.

          1. Alan Brown Silver badge

            Re: It's a bit disappointing

            "For recon outside a building, a suit, hi-vis vest and clip-board work wonders for not alerting the CCTV people "

            This is one reason I look closely at people wearing hi-vis. Once they realise people are paying attention, many start looking self-concious and disappear quickly.

        3. herman

          Re: It's a bit disappointing

          Labcoat!? Clipboard!? Maybe 25 years ago, not today.

    2. DropBear

      Re: It's a bit disappointing

      "In my mind, if I do not get confirmation of something from a known authority, you can leave and come do your audit at a later date when I have been notified."

      That sounds very nice... on paper. Even those who consciously make some effort to keep to such principles can be vulnerable to an attacker pushing the right buttons with appropriate mastery, playing off fears for one's own job security in case of a hard refusal, the other person's prospects for the same in case you don't play along, etc. It's all about how convincing the attacker manages to get, how much insider information they seem to know, and how well they sell the pickle they're allegedly in if you refuse to help.

      That's not to say heartless BOFHs don't exist, but most people would need to either consider their protected target to be of incredible importance or halfway expect some sort of attack in order to find the resolve to stay completely inflexible faced with a really skilled attacker. At any rate, a properly skilled one would know when to back out inconspicuously if they've hit an unexpected hard spot and would just find an easier point of access - that thing about chains, links, weaknesses etc.

    3. Cuddles

      Re: It's a bit disappointing

      "Very interesting read, but it is slightly disappointing to learn that actually getting into "secure" areas involves things as simple as not having a responsible answer his phone."

      Really? I'm surprised any actually found anything to learn in the article at all. Don't get me wrong, it was a good read, but as the article itself notes there's nothing new here at all; humans are the weak link and these are the same techniques con artists have been using for millennia. The fact that theft targets now include things like login details and not just valuable items hasn't changed anything about how to actually access them. Today a security guard let someone into a server room without checking properly with their superior about the surprise computer audit, 6,000 years ago an ancient Egyptian guard let someone into the vault without properly checking with their superior about the surprise gold audit.

    4. Kiwi

      Re: It's a bit disappointing

      In my mind, if I do not get confirmation of something from a known authority, you can leave and come do your audit at a later date when I have been notified.

      Sadly for many of us, bosses aren't pleased when their orders aren't carried out and jobs not done. Even if it is their fault for not telling us beforehand and standard company practice that no one enters secure areas without appropriate notification, paperwork and escort. No matter how well dressed they are.

    5. Evil Auditor Silver badge

      Re: It's a bit disappointing

      In my mind, if I do not get confirmation of something from a known authority, you can leave and come do your audit at a later date when I have been notified.

      You're my hero! Seriously though, this is a rather rare beast in reality. Even though quite a few people would say exactly like you did, what they actually do is totally different.

      Usually I don't conduct surprise audits and my 'victims' are mostly informed. It still happens regularly that they didn't know of forgot about the audit. But so far only once, about three weeks ago, a guy insisted to check with this boss and I had to return the next day.

    6. Sgt_Oddball

      Re: It's a bit disappointing

      That indeed should be the case and is just the sort of thing this exposes.

  6. Anonymous Coward
    Anonymous Coward

    The abuse of "military grade"...

    ... is particularly cringeworthy here. All scope manufacturers sell their wares to civvys so, unless it's alien technology from the black helicopters, what a "military grade sniper scope" refers to is "an overpriced geegaw that's limited in magnification because going higher makes it too fragile to be used by people who don't care."

    For observing human behaviour, these days you're better off using a camcorder - which will have higher magnification *and* image stabilisation *and* records...

    And unless said MGSS was actually fastened to a firearm at the time, what's the difference between it and a telescope as far as plod banging on the window? Other than the "yeah baby, I'm totally cool and a spy and dangerous and have a massive willy, want to come back to mine?".

    1. Dr Who

      Re: The abuse of "military grade"...

      "yeah baby, I'm totally cool and a spy and dangerous and have a massive willy, want to come back to mine?"

      Why ask the question when you already know the correct, and perfectly sensible, answer.

      PS I have a military grade lawn mower. The exact same model is used by the army to mow their lawns - I kid you not!

      1. Hero Protagonist

        Re: The abuse of "military grade"...

        No, what makes it military grade is the price tag

  7. Anonymous Coward
    Anonymous Coward

    Military grade

    --- last decade's spec

    --- next decade's price

    --- can be used as a hammer

    1. Anonymous Coward
      Anonymous Coward

      Re: Military grade

      Ha!

      When I was in a cavalry regiment in the 1980's one of my troop had a sprocket break on a Challenger 1. What you are supposed to do is to put a chalk or paint mark on the lead insertion point on the sprocket wheel so that you can match it on the new one and easily push the new wheel into place. Unfortunately the driver of the stricken tank forgot to mark it and put the new sprocket on misaligned. His commander called me to say that he had put everything on correctly and was at a loss to understand why the sprocket would not fit. I went to call recovery and came back to see that the driver of my own vehicle had lent a hand by driving my tank into the side to try and force the wheel on. Result: one (newish) Challenger 1 MBT declared as BERNEWT (Beyond Economical Repair - not to be employed with troop)

      1. Tom Paine

        Re: Military grade

        I worked with an ex-army guy once who had a great story about a ten day long exercise living rough on Salisbury Plain. Towards the end of the exercise as they were waiting around for a pickup and return to base -- in the sort of state you'd expect if you'd been living in the open for ten days -- a tankie roared up and stopped, the hatch popped open and a senior officer from (I forget the name of the regiment, I want to say "ths aomething something Dragoons" but I'm sure it's wrong -- anyway, one of the more flowery names) popped out and started berating the troops for the disgraceful state of their kit, not standing smartly to attention, etc. After a while of this he indicated himself and said "Look here, I'm a Colonel in the Dragoons [or it may be Hussars or suchlike] and _I'M_ properly turned out as an officer in Her Majesty's Army. Do any of you lot even know what a Dragoon Guard is?" from the rear of the section came a clearly audible "Yeah we do - it's a cunt in a tank" was heard. Collapse of stout party.

        His other story about tankies was the fun of flicking lighters at them. Sounds like a rather dark form of humour to me, but there you go,...

        1. Destroy All Monsters Silver badge

          Re: Military grade

          This isn't /k/ !

        2. Sgt_Oddball
          Flame

          Re: Military grade

          Surely the lighters hark back to the days of the Sherman lend lease tanks. Or the 'ronson' as they got called after the lighters. Lights first time, everytime.

          The Germans just called them 'Tommy cookers......

  8. Anonymous Coward
    Anonymous Coward

    Sad but true....

    ...we lost a load of kit when at 6 am some guys in suits followed the cleaners in. They simply picked up a load of (unsecured) laptops and simply walked out the door.

    The cleaners didn't get the bollocking, the people who left the laptops did, and rightly so.

    1. d3vy

      Re: Sad but true....

      "The cleaners didn't get the bollocking, the people who left the laptops did, and rightly so."

      I'd have thought that the cleaners should have had a talking too as well...

      I heard a story from a guy doing pen testing for us years ago, when on site doing an audit he noticed that the cleaners had access to the server room. The next morning one of the cleaners was £20 better off and there was a foreign pen drive plugged discreetly into the back of one of the servers...

      Cleaners, Janitors and Security have access to lots of things, they need to be as aware of security concerns as your normal staff. *

      * None of them should not have access to your server room at all.

  9. Arthur the cat Silver badge
    Trollface

    HackLabs' Manly office

    How macho. Do they have a Girly office as well?

    1. Neil Barnes Silver badge
      Paris Hilton

      Re: HackLabs' Manly office

      Please. Womanly office.

      1. Destroy All Monsters Silver badge

        Re: HackLabs' Manly office

        That would be the one inhabited by Angelina Jolie? (Hackers is from 1995 ... is it really that long ago? OMG LOLZ)

  10. fearnothing

    If anyone is curious about this but doesn't want to spend £££ on a course, I recommend this book by Chris Hadnagy (@humanhacker):

    https://www.amazon.co.uk/Social-Engineering-Art-Human-Hacking/dp/0470639539

    Ever seen the TV series Lie To Me? The main character is loosely based off a real person, Dr Paul Ekman. Hadnagy learned the ropes from Dr Ekman, who also advised on the book. Good read.

  11. GrapeBunch

    Advertising

    is a red team attack on you.

  12. Valeyard

    politeness

    As the article states, a lot of this is down to people not wanting to tell someone 'no'

    after working in a bank i have both security and hatred of people in general drilled in. I've told newstarters, visiting VIPs or just people who've worked there a while but not in my department "no" if they've forgotten their pass and want to follow me through a door, I've just left them in the freezing cold lobby with the promise i'll send any name they give me downstairs to meet them.

    just doesn't work on absolute bastards ;)

  13. Anonymous Coward
    Linux

    Remote access to the building management system

    Why are they allowing remote access to the building management system in the first place?

    @theRegister: "Today's mission is to get into the guards' office and record the security controls in place. If we can learn the name and version of the building management system, we've won .. I hear the guard telling Gatford how staff use remote desktop protocol to log in to the building management system, our mission objective."

    Wouldn't be simpler to find out what company provides the security infrastructure and what skills they advertise in new recuits. That'll tell you a lot about the systems they provide.

    @theRegister: '"What version?" Gatford asks. "Uh, 7.1. It crashes a lot."'

    Well then, what version?

    ps: When are they going to blow the doors off the front of the building, like I once saw in a 'hacker' movie whose name I've forgotton.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like