All in Fieldcraft
Site casing
A reader asked me yesterday whether it would be easier to draw a sketch of the site I am casing on a piece of paper instead of using an iPhone or iPad.
The truth is that it is. And I've been doing this since I can remember. Here's an example.
Checking your customers via open IP cameras
If you’re in public, you’re on camera. If you walk into a coffee shop, the owner gets you at the register. Visit a larger store, and chances are they have your face as soon as you cross the threshold. At least one or two of your neighbors catch you on camera when you walk around your neighborhood, and many cities monitor traffic using red light cameras at major intersections. The question is no longer if you’re on camera, but rather how many different angles you were caught on while going about your day.
With so much monitoring taking place, and with surveillance systems gaining more online functionality every year, it’s natural that securing these systems would become… complicated. And that many many are secured incorrectly or not at all. Because so many cameras and surveillance systems are completely open, it’s possible for anyone with Internet access to watch literally thousands of cameras online using only Google and a kindergartener’s understanding of the ‘Net. With a little time and patience, almost any given system, from a set of residential cameras to those used by your local police, can be accessed, viewed, and even reset if not properly secured. Of course, if you can do this, it means that anyone can do it. Feel safer yet?
Based on experience, people think adversaries (they call them hackers) always find vulnerabilities (on networks, applications, protocols, etc) and write or use exploits in order to have access to their targets.
While up to some extent this might be true, a lot attackers use other techniques to gain that initial way in. Social engineering is a great way to convince someone to download and open a *weaponized* document or binary file and have him or her infected with a piece of malware that will allow the attacker to remote access the system.
Social engineering doen't necessarily means calling or emailing the target. Sometimes sending a bunch of *product samples* might do the trick. For example, sending cheap USB flash drives or leaving them at the reception of your target can do wonderful things. Have the USB point to a malicious binary that will be automatically run when inserted on a computer or have a seemingly harmless PDF file called something along the lines of "Get more free samples.pdf" outfitted with some malware and you now have access to the system, remotely.
Bluetooth...
On this particular project my team and I were tasked getting access to the VP of marketing's laptop. Part of the team began tailing the VP so we have an idea of what his daily routines were. The other part of the team began checking the company's network in order to try to penetrate it and find our way to the VP's laptop from there. As a last resort we would try a physical penetration of the building so we could get to the laptop.
After over a week we didn't have anything concrete on the digital pentest side, they were fairly secure. We could eventually find a vulnerability that may be exploited but we were under a very tight timeframe for the project. We were considering the physical pentest when J. called me from the field and told me that he discovered the VP has an unsecured Bluetooth connection on his laptop.
Another physical pentest
A while ago I had to perform a physical penetration test in which I was tasked with trying to infiltrate the building of my customer, find the CEO or any other high-ranking executive's laptop and make a copy of the hard drive.
I performed my recon for 2 weeks. The building had cameras everywhere so I had to be careful where I was walking, I wasn't sure whether the security personnel was monitoring the cameras or whether they can recognize me as someone that wasn't an employee but I didn't want to set any alarms if I could avoid it.
The big problem was that in order to avoid the cameras I needed to take the elevator. The stairs were a no go, cameras everywhere, but the elevator had a possible bling spot (which I discovered on a recon walk when I went into the building pretending to be a UPS guy). However, in order to take the elevator I needed to call it first. I couldn’t do this because I needed a company access card to enable the calling button. So I waited.
A few minutes later someone walked out of one of the elevator. I pretended to be on the phone. As the door was closing I walked right into the elevator.
Using CARVER to identify risks and vulnerabilities
CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used by Special Forces to assess the targets and see which one needs to be addressed first. Let me write down what each component means in terms of information security.