Broad smiles, good suits and fake IDs test security in new dimensions
FEATURE “Go to this McDonald’s,” Chris Gatford told me. “There’s a ‘Create Your Taste’ burger-builder PC there and you should be able to access the OS.
Find that machine, open the command prompt and pretend to do something important.
“I’ll be watching you.”
Gatford instructed your reporter to visit the burger barn because he practices a form of penetration testing called “red teaming”, wherein consultants attack clients using techniques limited only by their imagination, ingenuity, and bravado.
He wanted me to break the burger-builder to probe my weaknesses before he would let The Register ride along on a red-team raid aimed at breaking into the supposedly secure headquarters of a major property chain worth hundreds of millions of dollars.
Before we try for that target, Gatford, director of penetrations testing firm HackLabs, wants to know if I will give the game away during a social engineering exploit.
Chris Gatford (Image: Darren Pauli / The Register)
So when the McDonald’s computer turns out to have been fixed and my fake system administrator act cancelled, we visit an office building’s lobby where Gatford challenges me to break into a small glass-walled room containing a shabby-looking ATM.
I can’t see a way into the locked room.
I think I see a security camera peering down from the roof, but later on I’m not sure I did.
I can’t think of a way in and I’m trying to look so casual I know I’m certain to look nervous.
Gatford is finished with the lobby clerk. He asks how I would get in, and hints in my silence that the door responds to heat sensors.
I mutter something stupid about using a hair dryer.
Gatford laughs and reminds me about heat packs you’d slip into gloves or ski boots. “Slide one of those under the crack,” he says.
I’ve failed that test but stayed cool, so Gatford decides he’s happy to have me along on a red-team raid, if only because red teams seldom face significant resistance.
“At the end of the day, people just want to help,” Gatford says.
Costume is therefore an important element of a red team raid.
For this raid, our software exploits are suits and clipboards.
Sometimes it’s high-visibility tradie vests, hard hats, or anything that makes a security tester appear legitimate.
Once dressed for the part, practitioners use social-engineering skills to manipulate staff into doing their bidding.
Fans of Mr Robot may recall an episode where the protagonist uses social engineering to gain access to a highly secure data centre; this is red teaming stylised.
Think a real-world capture the flag where the flags are located in the CEO’s office, the guard office, and highly secure areas behind multiple layers of locked doors.
By scoring flags, testers demonstrate the fallibility of physical defences.
Only one manager, usually the CEO of the target company, tends to know an operation is afoot. Limited knowledge, or black-box testing, is critical to examine the real defences of an organisation. Red teamers are typically not told anything outside of the barebones criteria of the job, while staff know nothing at all.
It catches tech teams off guard and can make them look bad.
Gatford is not the only tester forced to calm irate staff with the same social engineering manipulation he uses to breach defences.
Red teamers almost always win, pushing some to more audacious attacks. Vulture South knows of one Australian team busted by police after the black-clad hackers abseiled down from the roof of a data centre with Go-Pro cameras strapped to their heads.
Across the Pacific, veteran security tester Charles Henderson tells of how years back he exited a warehouse after a red-teaming job. “I was walking out to leave and I looked over and saw this truck,” Henderson says. “It was full of the company’s disks ready to be shredded.
The keys were in it.” Henderson phoned the CEO and asked if the truck was in-scope, a term signalling a green light for penetration testers.
It was, and if it weren’t for a potential call to police, he would have hopped into the cab and drove off. Henderson now leads Dell’s new red-teaming unit in the United States, which he also built from the ground up.
“There are some instances where criminal law makes little distinction between actions and intent, placing red teams in predicaments during an assignment, particularly when performing physical intrusion tasks,” Nathaniel Carew and Michael McKinnon from Sense of Security’s Melbourne office say. “They should always ensure they carry with them a letter of authority from the enterprise.”
Your reporter has, over pints with the hacking community, heard many stories of law enforcement showing up during red-team ops. One Australian was sitting off a site staring through a military-grade sniper scope, only to have a cop tap on the window.
Gatford some years ago found himself face-to-face in a small room with a massive industrial furnace while taking a wrong turn on a red-team assignment at a NSW utility. He and his colleagues were dressed in suits.
Another tester on an assignment in the Middle East was detained for a day by AK-47-wielding guards after the CEO failed to answer the phone. Red teamers have been stopped by police in London, Sydney, and Quebec, The Register hears.
One of Australia’s notably talented red teamers told of how he completely compromised a huge gaming company using his laptop and mobile phone. Whether red teaming on site or behind the keyboard, the mission is the same: breach by any means necessary.
A fortnight after the ATM incident, The Register is at HackLabs’ Manly office.
It’s an unassuming and unmarked door that takes this reporter several minutes to spot. Upstairs, entry passes to international hacker cons are draped from one wall, a collection of gadgets on a neighbouring shelf.
Then there’s the equipment area.
Scanners, radios, a 3D printer, and network equipment sit beside identity cards sporting the same face but different names and titles.
There’s a PwnPlug and three versions of the iconic Wi-Fi Pineapple over by the lockpicks.
A trio of neon hard hats dangle from hooks.
“What do you think?” Gatford asks.
It’s impressive; a messy collection of more hacking gadgets than this reporter had seen in one place, all showing use or in some stage of construction.
This is a workshop of tools, not toys.
“No one uses the secure stuff, mate.”
In his office, Gatford revealed the target customer. The Register agrees to obscure the client’s name, and any identifying particulars, so the pseudonym “Estate Brokers” will serve.
Gatford speaks of the industry in which it operates, Brokers’ clientele, and their likely approach to security.
The customer has multiple properties in Sydney’s central business district, some housing clients of high value to attackers.
It has undergone technical security testing before, but has not yet evaluated its social engineering resilience.
The day before, Gatford ran some reconnaissance of the first building we are to hit, watching the flow of people in and out of the building from the pavement. Our targets, he says, are the bottlenecks like doors and escalators that force people to bunch up.
He unzips a small suitcase revealing what looks like a large scanner, with cables and D-cell batteries flowing from circuit boards. “It’s an access card reader”, Gatford says.
It reads the most common frequencies used by the typically white rigid plastic door entry cards that dangle from staffer waists.
There are more secure versions that this particular device does not read without modification. “No one uses the secure stuff, mate,” Gatford says with the same half-smile worn by most in his sector when talking about the pervasive unwillingness to spend on security.
I point to a blue plastic card sleeve that turns out to be a SkimSAFE FIPS 201-certified anti-skimming card protector.
Gatford pops an access card into it and waves it about a foot in front of the suitcase-sized scanner.
It beeps and card number data flashes up on a monitor. “So much for that,” Gatford laughs.
He taps away at his Mac, loading up Estate Brokers’ website. “We’ll need employee identity cards or we’ll be asked too many questions,” Gatford says. We are to play the role of contractors on site to conduct an audit of IT equipment, so we will need something that looks official enough to pass cursory inspection.
The company name and logo image is copied over, a mug shot of your reporter snapped, and both are printed on a laminated white identity card.
Gatford does the same for himself. We’re auditors come to itemise Estate Brokers’ security systems and make sure everything is running.
“We should get going,” he says as he places hacking gear into a hard shell suitcase.
So off we go.
Beep beep beep beepbeepbeep
Our attack was staged in two parts over two days.
Estate Brokers has an office in a luxurious CBD tower. We need to compromise that in order to breach the second line of defences. We’ll need an access card to get through the doors, however, and our laptop-sized skimmer, which made a mockery of the SkimSAFE gadget, will be the key.
It is 4:32pm and employees are starting to pour out of the building.
Gatford hands me the skimmer concealed in a very ordinary-looking laptop bag. “Go get some cards,” he says.
Almost everyone clips access cards on their right hip.
If I can get the bag within 30cm of the cards, I’ll hear the soft beep I’ve been training my ear to detect that signals a successful read. Maybe one in 20 wear their access cards like a necklace. “Hold your bag in your left hand, and pretend to check the time on your watch,” Gatford says.
That raises the scanner high enough to get a hit.
I’m talking to no one on my mobile as I clumsily weave in and out of brisk walking staff, copping shade from those whose patience has expired for the day.
Beep, beep, beep, beep, beepbeepbeepbeep.
There are dozens of beeps, far too many to count.
Then we enter a crowded lift and it’s like a musical.
It’s fun, exhilarating stuff.
The staff hail from law firms, big tech, even the Federal Government.
And we now have their access cards.
Estate Brokers is on level 10, but we need a card to send the lift to it. No matter, people just want to help, remember? The lady in the lift is more than happy to tap her card for the two smiling blokes in suits.
Gatford knows the office and puts me in front. “Walk left, second right, second left, then right.” I recite it. With people behind us, I walk out and start to turn right, before tightening, and speeding up through the security door someone has propped open.
We enter an open-plan office. “They are terrible for security,” I recall Gatford saying earlier that day.
It allows attackers to walk anywhere without the challenge of doors. Lucky for us.
Gatford takes the lead and we cruise past staff bashing away their final hour in cubicles, straight to the stationery room. No one is there as Gatford fills a bag with letter heads and branded pens, while rifling through for other things that could prove useful.
We head back to the lobby for a few more rounds of card stealing. Not all the reads come out clean, and not all the staff we hit are from Estate Brokers, so it pays to scan plenty of cards. “Look out for that guard down there,” Gatford says, indicating the edge of the floor where a security guard can be seen on ground level. “Tell you what, if you can get his card, I’ll give you 50 bucks.”
“You’re on,” I say.
The guard has his card so high on his chest it is almost under his chin.
At this point I think I’m unbeatable so after one nerve-cooling circuit on the phone, I walk up to him checking my watch with my arm so high I know I look strange.
I don’t care, though, because I figure customer service is a big thing in the corporate world and he’ll keep his opinions to himself.
I ask him where some made-up law firm is as I hear the beep.
It is 8:30am the next day and I am back in Gatford’s office. We peruse the access cards. He opens up the large text file dump of yesterday’s haul and tells me what the data fields represent. “These are the building numbers; they cycle between one and 255, and these are the floor numbers,” he says.
There are blank fields and junk characters from erroneous scans. He works out which belong to Estate Brokers and writes them to blank cards.
Estate Brokers has more buildings that Gatford will test after your reporter leaves. He fires up Apple Maps, and Google Maps Street View. With the eyes of a budding red teamer I am staggered by the level of detail it offers.
Apple is great for external building architecture, like routing pathways across neighbouring rooftops, Gatford says, while Google lets you explore the front of buildings for cameras and possible sheltered access points.
Some mapping services even let you go inside lobbies.
Today’s mission is to get into the guards’ office and record the security controls in place.
If we can learn the name and version of the building management system, we’ve won.
Anything more is a bonus for Gatford’s subsequent report.
We take the Estate Brokers stationery haul along with our access cards and fake identity badges and head out to the firm’s second site.
“Don’t hesitate, be confident.”
But first, coffee in the lobby. We chat about red teaming, about how humans are always the weakest link. We eat and are magnanimous with the waiting staff.
Gatford gets talking to one lady and says how he has forgotten the building manager’s name. “Jason sent us in,” he says, truthfully. Jason is the guy who ordered the red team test, but we don’t have anything else to help us.
The rest is up to Gatford’s skills.
It takes a few minutes for the waitress to come back.
The person who she consulted is suspicious and asks a few challenging questions. Not to worry, we have identity cards and Gatford is an old hand.
I quietly muse over how I would have clammed up and failed at this point, but I’m happily in the backseat, gazing at my phone.
We use the access cards skimmed the day earlier to take the lift up to an Estate Brokers level.
It is a cold, white corridor, unkempt, and made for services, not customers.
There’s a security door, but no one responds to our knocks.
There are CCTV cameras. We return down to the lobby.
Michael is the manager Gatford had asked about. He is standing at the lifts with another guy, and they greet us with brusque handshakes, Michael’s barely concealed irritation threatening to boil over in response to our surprise audit. He rings Jason, but there’s no answer.
I watch Gatford weave around Michael’s questions and witness the subtle diffusion.
It’s impressive stuff. Michael says the security room is on the basement level, so we head back into the lift and beep our way down with our cards.
This room is lined with dank, white concrete and dimly lit. We spy the security room beaming with CCTV. “Don’t hesitate, be confident,” Gatford tells me. We stride towards the door, knock, and Gatford talks through the glass slit to the guard inside.
Gatford tells him our story. He’s a nice bloke, around 50 years old, with a broad smile.
After some back-and-forth about how Jason screwed up and failed to tell anyone about the audit, he lets us in.
My pulse quickens as Gatford walks over to a terminal chatting away to the guard.
There are banks of CCTV screens showing footage from around the building.
A pile of access cards.
Some software boxes.
I hear the guard telling Gatford how staff use remote desktop protocol to log in to the building management system, our mission objective.
“What version?” Gatford asks.
It crashes a lot.”
Day one, heading up in a crowded lift.
Shot with a pen camera
I look down and there are logins scrawled on Post-it notes. Of course.
I snap a few photos while their backs are turned.
Behind me is a small room with a server rack and an unlocked cabinet full of keys.
I think Gatford should see it so I walk back out and think of a reason to chat to the guard.
I don’t want to talk technology because I’m worried my nerves will make me say something stupid.
I see a motorbike helmet.
“What do you ride?” I ask. He tells me about his BMW 1200GS. Nice bike.
I tell him I’m about ready to upgrade my Suzuki and share a story about a recent ride through some mountainous countryside.
Gatford, meanwhile, is out of sight, holed up in the server room snapping photos of the racks and keys. More gravy for the report.
We thank the guard and leave.
I feel unshakably guilty.
From the red to the black
Gatford and I debrief over drinks, a beer for me, single-malt whiskey for him. We talk again about how the same courtesy and acquiescence to the customer that society demands creates avenues for manipulation.
It isn’t just red teamers who exploit this; their craft is essentially ancient grifts and cons that have ripped off countless gullible victims, won elections or made spear phishing a viable attack.
I ask Gatford why red teaming is needed when the typical enterprise fails security basics, leaving old application security vulnerabilities in place, forgetting to shut down disused domains and relying on known bad practice checkbox compliance-driven audits.
“You can’t ignore one area of security just to focus on another,” he says. “And you don’t do red teaming in isolation.”
Carew and McKinnon agree, adding that red teaming is distinct from penetration testing in that it is a deliberately hostile attack through the easiest path to the heart of organisations, while the former shakes out all electronic vulnerabilities.
“Penetration testing delivers an exhaustive battery of digital intrusion tests that find bugs from critical, all the way down to informational… and compliance problems and opportunities,” they say in a client paper detailing aspects of red teaming [PDF]. “In contrast, red teaming aims to exploit the most effective vulnerabilities in order to capture a target, and is not a replacement for penetration testing as it provides nowhere near the same exhaustive review.”
Red teaming, they say, helps organisations to better defend against competitors, organised crime, and even cops and spys in some countries.
Gatford sells red teaming as a package.
Australia’s boutique consultancies, and those across the ditch in New Zealand, pride themselves on close partnerships with their clients.
They point out the holes, and then help to heal.
They offer mitigation strategies, harass vendors for patches, and help businesses move bit by bit from exposed to secure.
For his part, Gatford is notably proud of his gamified social engineering training, which he says is designed to showcase the importance of defence against the human side of security, covering attacks like phishing and red teaming.
He’s started training those keen on entering red teaming through a three-day practical course.
“Estate Brokers”, like others signing up for this burgeoning area of security testing, will go through that training.
Gatford will walk staff through how he exploited their kindness to breach the secure core of the organisation.
And how the next time, it could be real criminals who exploit their willingness to help. ®