As we discovered, this type of attack successfully allows an intruder to retrieve user authentication data – even when the targeted system is locked.
The first malware program to lock up people’s files and ask for a ransom was the PC Cyborg Trojan in 1989.
It was created by Harvard-trained evolutionary biologist Dr. Joseph Popp, who was working on several AIDS-related projects at the time. Dr. Popp sent a floppy disk containing a program covering AIDS information, teaching, and testing to tens of thousands of mailing list subscribers.
At startup, a crude EULA warned users they had to pay for the program—and the author reserved the legal right to “ensure termination of your use of the programs ....
These program mechanisms will adversely affect other program applications on microcomputers.” Most people didn’t read the EULA and ran the program without paying for it. After 90 boots, the program crudely encrypted/obfuscated the user’s hard drive data, rendering it inaccessible, and asked for a payment of $189 to be sent to a Panamanian post office box. (Check out a great analysis of the Trojan.) Ransomware evolution Early ransomware used symmetric key encryption, and the cipher algorithm was often poorly constructed.
Encryption experts could frequently break the ransomware easily, and because the symmetric key was the same shared key in every infection, every computer touched by the same ransomware program could be unlocked at once. Eventually, ransomware authors learned to use public key cryptography (where both a private key and a second public key is involved) and started to use popular, well-known, well-tested cipher algorithms.
A different key pair was generated for each infection, which made ransomware a very difficult problem to solve. By the middle 2000s, tough-to-break ransomware was becoming very popular, but the problem of how hackers would collect their money remained. Real money and credit card transactions can be traced. Enter CryptoLocker, the first widespread ransomware program to demand bitcoin payments.
CryptoLocker first appeared in 2013. When matched with randomly generated email addresses and “darknet” pathways, it became almost impossible to catch ransomware hackers. Ransomware writers and distributors are now making tens, if not hundreds of millions, of dollars off their victims. These days ransomware keeps getting more dangerous and targeted. Ransomware programs are now being developed to attack specific types of data, such as database tables, mobile devices, IoT units, and televisions.
This page chronicles all the significant developments from the last year or so. Defeating ransomware First, you need to verify that you’ve actually been hit by ransomware. Less sophisticated programs merely take over your current browser session or computer screen.
They make the same blackmail claims as a more sophisticated ransomware program, but don’t encrypt any files.
All you need to do is reboot the computer and/or use a program like Process Explorer to remove the malicious file. Nothing beats a good backup. Nothing beats a current, offline backup.
The “offline” part is important because many ransomware programs will look for your online backups and render them unusable, too. Get patched. Making sure your system is fully patched is a great way to prevent any malware from infecting your computer.
But also see if they are the real patches from the real vendors. Unfortunately, fake patches often contain ransomware. Don’t get tricked. Don’t let yourself get socially engineered into installing ransomware.
In other words, don’t install anything sent to you in email or offered to you when visiting a website.
If a website says you need to install something, either leave the website and don’t go back—or leave the website and install the software directly from the legitimate vendor’s website. Never let a website install another vendor’s software for you. Use antimalware software. Everyone needs to run at least one antimalware program. Windows comes with Windows Defender, but there are dozens of commercial competitors and some good freebies. Ransomware is malware.
Antimalware software can stop the majority of variants before they hit. Use a whitelisting program. Application control or whitelisting programs stop any unauthorized program from executing.
These programs are probably the best defense against ransomware (besides a good offline backup).
Although many people think application control programs are too cumbersome to use, expect them to become much more accepted as ransomware continues to grow, at least in business computing.
The days of allowing employees to run any program they want are numbered. What to do if you’re locked up If all your critical data is backed up and safe, then you’ll be back in business in a few hours’ time. You’ll still need to reformat/reset/restore your device, however. Luckily, that process gets easier with each new operating system version. Using another safe, uninfected computer, restore your backup.
Apply all critical security patches, restore your data, and resolve never to do what you did that got your device locked up in the first place. If you don’t have a clean backup copy of your critical data and absolutely need the data, you have two options: Find an unlock key or pay the ransomware demand. Using another safe, trusted computer, research as much as you can about the particular ransomware variant you have.
The screen message presented by the ransomware will help you identify the variant. If you’re lucky, your ransomware variant may already have been unlocked. Many antimalware vendors have programs to detect and unlock ransomware (if it recognizes the variant and has the unlock key). Run that program first. It may take an offline scan to get rid of the ransomware.
Several websites also offer unlocking services, free and commercial, for particular ransomware variants. Here’s an example of a ransomware unlocker.
Also, believe it or not, ransomware distributors will even occasionally apologize and release their own unlocking programs. Lastly, many people choose to pay the ransomware to recover their files. Most experts and companies recommend against paying ransom because it only encourages the ransomware creators and distributors. Yet quite often it works.
It’s your computer and data, so it’s up to you whether to pay the ransom. Be aware that in many cases people have paid up and their files have remained encrypted.
But these cases seem to be in the minority.
If ransomware didn’t unlock files after the money was paid, everyone would learn that—and ransomware attackers would make less money. I hope you never become a ransomware victim.
The odds of infection, unfortunately, are getting worse as ransomware gains popularity and sophistication.
Some antivirus companies that are big in Europe don't get as much mindshare here in the US.
G Data is one such security software maker.
According to the G Data website, G Data developed the very first antivirus in 1985; while some dispute that claim, the company has clearly been around for a while.
G Data Antivirus 2017 is the company's latest, and it does a good bit more than the basics of antivirus protection.
At $39.95 per year for a single license, G Data is in good company price-wise.
Bitdefender, Kaspersky Anti-Virus, Norton, and Webroot are among the numerous products at that price point.
For another $10, you can install G Data on up to three PCs.
If you go for a multi-PC license, you create an account for the first installation, then log in to that account for the rest.
G Data's main window features a bold red banner across the top. Not red for danger, or for stop—it's just red.
The rest of the main window displays the status of the product's numerous protection features, in several groups.
A green checkmark icon indicates that the feature is fully active.
For a partially disabled component, the icon changes to a yellow exclamation point; a fully disabled feature gets a grey dash icon. Naturally, you want to see green across the board.
G Data participates in testing with three of the five independent testing labs that I follow.
In Virus Bulletin's RAP (Reactive And Proactive) test, it scored 85.19 percent.
The average score for products I follow is 81.99 percent, so G Data comes in above average. PC Pitstop PC Matic scored highest in the latest test, with 94.75 percent, but failed overall due to many false positives.
Testers at AV-Test Institute look at antivirus products from three different perspectives, assigning up to six points for each of the criteria.
G Data earned 6 points in the all-important protection category, and by avoiding false positives (detection of valid programs as malicious) it managed another six points for usability.
A small impact on performance dragged its score in that category down to five points, however.
The overall score of 17 points wasn't quite enough to earn it a Top Product rating, but it's good.
In that same test, Kaspersky scored a perfect 18 points.
Bitdefender, Quick Heal, and Trend Micro Antivirus+ Security got 17.5 points.
These four earned the designation Top Product.
Most of the lab tests I follow report a range of results. MRG-Effitas takes a different tack.
To pass the banking Trojans test, a product must protect against every sample used; anything less is failure. Over 70 percent of tested products fail, G Data among them.
Due to the binary pass/fail nature of this test, I give it less weight when calculating an aggregate lab score.
G Data's three lab results worked out to an aggregate score of 8.7 points, which better than most companies manage. However, based on tests from all five labs, Kaspersky took 9.8 of 10 available points, the best aggregates score.
Avira Antivirus and Norton managed 9.7 points, each tested by three of the five labs.
Effective Malware Blocking
Your antivirus utility has many opportunities to save your PC from malware attack.
It can block access to the malware-hosting website, eliminate the threat on download, detect and delete known malware based on its signature, and even detect unknown malware based on behavior alone.
G Data includes all of these layers of protection, and my hands-on testing showed them in action.
In addition to scanning files on access, G Data scans your computer any time it's idle.
Between real-time protection and idle-time scanning, there isn't a screaming need for a full scan of your whole computer.
If you want a full scan, you click the Idle Time Scan link on the main window and choose Check Computer.
A full scan of my standard test system took an hour and 40 minutes, over twice the current average of about 45 minutes.
But once again, unless you actively suspect an infestation you should be able to just rely on the idle-time scan.
When I opened the folder containing my current collection of malware samples, G Data started examining them.
The process was slower than with many competing products, but clearly very thorough.
In most cases, it offered to quarantine the item as its default action; for a few, it advised simply blocking the file from execution.
By the time it finished, 97 percent of the samples were either quarantined or deactivated.
I keep a second set of samples on hand; these are modified versions of the originals.
To create each modified sample, I change the filename, append nulls to change the file size, and overwrite some non-executable bytes.
G Data detected all of the same samples, even in their tweaked form.
In addition, it detected all the remaining samples after execution, for a 100 percent detection rate. Webroot SecureAnywhere AntiVirus, F-Secure, and Ashampoo Anti-Virus 2016 also detected 100 percent of the samples. PC Matic also blocked 100 percent of the samples, but then, it blocks any unknown program.
Webroot managed a perfect 10 points in this test.
G Data, like F-Secure Anti-Virus, allowed a few executable traces to hit the test system, but the 9.8 points both of them earned is still very respectable.
For another view of each product's ability to protect against malware, I use a feed of current malware-hosting URLs supplied by MRG-Effitas.
I launch each URL in turn, discarding any that are defective, and noting whether the antivirus blocks access to the URL, wipes out the malware download, or fails to respond at all.
I keep at it until I've accumulated data for 100 malicious URLs.
G Data earned a 78 percent detection rate in this test, in most cases by blocking access to the malware-hosting URL.
That's just a middling score.
Symantec Norton AntiVirus Basic and PC Pitstop managed 98 percent protection, with Avira close behind at 75 percent.
I didn't see G Data's behavior monitoring kick in during these tests, because other protection layers beat it to the punch.
In any case, behavior monitoring in some antivirus products bombards the user with dire warnings about good and bad programs alike.
For a sanity check, I installed about 20 old PCMag utilities, programs that tie into the operating system in ways that malware might also do.
G Data didn't flag any of the PCMag utilities, but it did give the stink-eye to two of my hand-written test programs.
It popped up a clear warning that the test program might be malicious, with a detailed list of its reasons, and its reasons made total sense.
A program that launches Internet Explorer and manipulates it to download malware? That's suspicious! I'm pleased to see that behavior monitoring kicks in for a pattern of suspicious behavior, not for every little potential problem.
So-So Phishing Protection
Writing a data-stealing Trojan and getting it somehow installed on victim PCs can be a tough job.
Simply tricking users into giving away their passwords and other personal data can be quite a bit easier. Phishing websites masquerade as financial sites, Web-based email services, even online games.
If you enter your username and password on the fraudulent site, you've given the fraudsters full access to your account.
If the website looks just like PayPal but the URL is something goofy like armor-recycling.ru, at least some users will detect the fraud.
But sometimes the URL is so close to the real thing that only those with sharp eyes will spot it as a fake.
Antivirus programs that have a Web protection component usually attempt to protect users against phishing as well, and G Data is no exception.
To test the efficacy of a product's antiphishing component, I first scour the Web for extremely new phishing URLs, preferably URLs that were reported as fraudulent but that haven't yet been analyzed and blacklisted.
I launch each simultaneously in one browser protected by the product under test and another protected by long-time fraud fighter Norton.
I also launch each URL in instances of Chrome, Firefox, and Internet Explorer, relying on the browser's built-in phishing detection.
Because the collection of fraudulent sites differs every time, I report results in relative terms rather than absolute detection rate.
Very few products do better than Norton in this test, but many come closer than G Data did.
G Data's detection rate came in 45 percentage points below Norton's, which a is poor result.
Internet Explorer and Chrome both did a better job than G Data. Yes, G Data beat Firefox, but Firefox hasn't been doing very well lately.
The lesson here? Don't turn off your browser's built-in phishing protection.
Along with the expected antivirus features, G Data gives you several features that you'd expect to see in a security suite.
I tested its exploit protection by hitting the test system with about 30 exploits generated by the CORE Impact penetration tool.
It identified 30 percent of the exploits by name and blocked another 20 percent using more generic detection.
That 50 percent detection total is as good as what Kaspersky Internet Security managed in this test. Norton leads this test, with 63 percent protection.
Like Safepay in Bitdefender Antivirus Plus 2017 and Kaspersky's Safe Money, G Data's BankGuard feature aims to protect your financial transactions.
Bitdefender uses a whole separate desktop to run Safepay, and Kaspersky puts a glowing green border around the browser protected by Safe Money.
By contrast, BankGuard works invisibly to protect all your browsers.
The only way to see it in action is to encounter a Trojan that attempts a man-in-the-browser attack or other data-stealing technique.
The related keylogger protection feature was easier to test than BankGuard.
I installed a popular free keylogger, typed some data into Notepad, typed into my browsers, and then typed in Notepad again. When I brought up the keylogger's keystroke capture report, it showed no keystrokes between the two uses of Notepad.
To test G Data's ransomware protection component, I first turned off every other feature related to real-time malware protection. When I launched a ransomware sample, it quickly popped up a warning about suspicious behavior that suggests encrypting ransomware, with the caveat that if you are actively running an encryption utility yourself, you can ignore the warning. My G Data contact noted that in most cases, some other layer of protection will block the ransomware before it gets to this point.
G Data has long featured the ability to manage the programs that launch automatically when your system boots.
Its Autostart Manager can delay launch of any such program for from one to 10 minutes, or set it to never launch at startup. You can also configure it to launch the program when the system's startup activity has died down.
This is a more fine-grained control than you get with the similar feature in Norton.
A Mature Product
G Data has been around longer than almost any of its competitors, and G Data Antivirus 2017 is a mature product.
Since my last review, it has added components specifically designed to protect against exploits, keyloggers, banking Trojans, and ransomware.
It earned a great score in my hands-on malware-blocking test, and took decent scores from the independent testing labs. However, it proved less effective at blocking access to malicious and fraudulent URLs.
Bitdefender Antivirus Plus and Kaspersky Anti-Virus earn top scores from the independent labs.
Symantec Norton AntiVirus Basic scored high in all of my hands-on tests, and includes an impressive set of bonus features. Webroot SecureAnywhere Antivirus goes even farther with behavior-based detection, making it the tiniest antivirus around.
And a single license for McAfee AntiVirus Plus lets you install protection on every device in your household. Out of the huge range of antivirus products, these five have earned the title Editors' Choice.
PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
Find that machine, open the command prompt and pretend to do something important. "I'll be watching you." Gatford instructed your reporter to visit the burger barn because he practices a form of penetration testing called "red teaming", wherein consultants attack clients using techniques limited only by their imagination, ingenuity, and bravado. He wanted me to break the burger-builder to probe my weaknesses before he would let The Register ride along on a red-team raid aimed at breaking into the supposedly secure headquarters of a major property chain worth hundreds of millions of dollars. Before we try for that target, Gatford, director of penetrations testing firm HackLabs, wants to know if I will give the game away during a social engineering exploit. Chris Gatford (Image: Darren Pauli / The Register) So when the McDonald's computer turns out to have been fixed and my fake system administrator act cancelled, we visit an office building's lobby where Gatford challenges me to break into a small glass-walled room containing a shabby-looking ATM. I can't see a way into the locked room.
I think I see a security camera peering down from the roof, but later on I'm not sure I did.
I can't think of a way in and I'm trying to look so casual I know I'm certain to look nervous. Time's up.
Gatford is finished with the lobby clerk. He asks how I would get in, and hints in my silence that the door responds to heat sensors. I mutter something stupid about using a hair dryer.
Gatford laughs and reminds me about heat packs you'd slip into gloves or ski boots. "Slide one of those under the crack," he says. I've failed that test but stayed cool, so Gatford decides he's happy to have me along on a red-team raid, if only because red teams seldom face significant resistance. "At the end of the day, people just want to help," Gatford says. Red alert Costume is therefore an important element of a red team raid.
For this raid, our software exploits are suits and clipboards.
Sometimes it's high-visibility tradie vests, hard hats, or anything that makes a security tester appear legitimate. Once dressed for the part, practitioners use social-engineering skills to manipulate staff into doing their bidding.
Fans of Mr Robot may recall an episode where the protagonist uses social engineering to gain access to a highly secure data centre; this is red teaming stylised.
Think a real-world capture the flag where the flags are located in the CEO's office, the guard office, and highly secure areas behind multiple layers of locked doors. By scoring flags, testers demonstrate the fallibility of physical defences. Only one manager, usually the CEO of the target company, tends to know an operation is afoot. Limited knowledge, or black-box testing, is critical to examine the real defences of an organisation. Red teamers are typically not told anything outside of the barebones criteria of the job, while staff know nothing at all.
It catches tech teams off guard and can make them look bad.
Gatford is not the only tester forced to calm irate staff with the same social engineering manipulation he uses to breach defences. Red teamers almost always win, pushing some to more audacious attacks. Vulture South knows of one Australian team busted by police after the black-clad hackers abseiled down from the roof of a data centre with Go-Pro cameras strapped to their heads. Across the Pacific, veteran security tester Charles Henderson tells of how years back he exited a warehouse after a red-teaming job. "I was walking out to leave and I looked over and saw this truck," Henderson says. "It was full of the company's disks ready to be shredded.
The keys were in it." Henderson phoned the CEO and asked if the truck was in-scope, a term signalling a green light for penetration testers.
It was, and if it weren't for a potential call to police, he would have hopped into the cab and drove off. Henderson now leads Dell's new red-teaming unit in the United States, which he also built from the ground up. "There are some instances where criminal law makes little distinction between actions and intent, placing red teams in predicaments during an assignment, particularly when performing physical intrusion tasks," Nathaniel Carew and Michael McKinnon from Sense of Security's Melbourne office say. "They should always ensure they carry with them a letter of authority from the enterprise." Your reporter has, over pints with the hacking community, heard many stories of law enforcement showing up during red-team ops. One Australian was sitting off a site staring through a military-grade sniper scope, only to have a cop tap on the window.
Gatford some years ago found himself face-to-face in a small room with a massive industrial furnace while taking a wrong turn on a red-team assignment at a NSW utility. He and his colleagues were dressed in suits.
Another tester on an assignment in the Middle East was detained for a day by AK-47-wielding guards after the CEO failed to answer the phone. Red teamers have been stopped by police in London, Sydney, and Quebec, The Register hears. One of Australia's notably talented red teamers told of how he completely compromised a huge gaming company using his laptop and mobile phone. Whether red teaming on site or behind the keyboard, the mission is the same: breach by any means necessary. Equipment check A fortnight after the ATM incident, The Register is at HackLabs' Manly office.
It's an unassuming and unmarked door that takes this reporter several minutes to spot. Upstairs, entry passes to international hacker cons are draped from one wall, a collection of gadgets on a neighbouring shelf.
Then there's the equipment area.
Scanners, radios, a 3D printer, and network equipment sit beside identity cards sporting the same face but different names and titles.
There's a PwnPlug and three versions of the iconic Wi-Fi Pineapple over by the lockpicks.
A trio of neon hard hats dangle from hooks. "What do you think?" Gatford asks.
It's impressive; a messy collection of more hacking gadgets than this reporter had seen in one place, all showing use or in some stage of construction.
This is a workshop of tools, not toys. "No one uses the secure stuff, mate." In his office, Gatford revealed the target customer. The Register agrees to obscure the client's name, and any identifying particulars, so the pseudonym "Estate Brokers" will serve.
Gatford speaks of the industry in which it operates, Brokers' clientele, and their likely approach to security. The customer has multiple properties in Sydney's central business district, some housing clients of high value to attackers.
It reads the most common frequencies used by the typically white rigid plastic door entry cards that dangle from staffer waists.
There are more secure versions that this particular device does not read without modification. "No one uses the secure stuff, mate," Gatford says with the same half-smile worn by most in his sector when talking about the pervasive unwillingness to spend on security. I point to a blue plastic card sleeve that turns out to be a SkimSAFE FIPS 201-certified anti-skimming card protector.
Gatford pops an access card into it and waves it about a foot in front of the suitcase-sized scanner.
It beeps and card number data flashes up on a monitor. "So much for that," Gatford laughs. He taps away at his Mac, loading up Estate Brokers' website. "We'll need employee identity cards or we'll be asked too many questions," Gatford says. We are to play the role of contractors on site to conduct an audit of IT equipment, so we will need something that looks official enough to pass cursory inspection. The company name and logo image is copied over, a mug shot of your reporter snapped, and both are printed on a laminated white identity card.
Gatford does the same for himself. We're auditors come to itemise Estate Brokers' security systems and make sure everything is running. "We should get going," he says as he places hacking gear into a hard shell suitcase.
So off we go. Beep beep beep beepbeepbeep Our attack was staged in two parts over two days.
Estate Brokers has an office in a luxurious CBD tower. We need to compromise that in order to breach the second line of defences. We'll need an access card to get through the doors, however, and our laptop-sized skimmer, which made a mockery of the SkimSAFE gadget, will be the key. It is 4:32pm and employees are starting to pour out of the building.
Gatford hands me the skimmer concealed in a very ordinary-looking laptop bag. "Go get some cards," he says. Almost everyone clips access cards on their right hip.
If I can get the bag within 30cm of the cards, I'll hear the soft beep I've been training my ear to detect that signals a successful read. Maybe one in 20 wear their access cards like a necklace. "Hold your bag in your left hand, and pretend to check the time on your watch," Gatford says.
That raises the scanner high enough to get a hit. I'm talking to no one on my mobile as I clumsily weave in and out of brisk walking staff, copping shade from those whose patience has expired for the day.
Beep, beep, beep, beep, beepbeepbeepbeep.
There are dozens of beeps, far too many to count.
Then we enter a crowded lift and it's like a musical.
It's fun, exhilarating stuff.
The staff hail from law firms, big tech, even the Federal Government.
And we now have their access cards. Estate Brokers is on level 10, but we need a card to send the lift to it. No matter, people just want to help, remember? The lady in the lift is more than happy to tap her card for the two smiling blokes in suits.
Gatford knows the office and puts me in front. "Walk left, second right, second left, then right." I recite it. With people behind us, I walk out and start to turn right, before tightening, and speeding up through the security door someone has propped open. We enter an open-plan office. "They are terrible for security," I recall Gatford saying earlier that day.
It allows attackers to walk anywhere without the challenge of doors. Lucky for us.
Gatford takes the lead and we cruise past staff bashing away their final hour in cubicles, straight to the stationery room. No one is there as Gatford fills a bag with letter heads and branded pens, while rifling through for other things that could prove useful. We head back to the lobby for a few more rounds of card stealing. Not all the reads come out clean, and not all the staff we hit are from Estate Brokers, so it pays to scan plenty of cards. "Look out for that guard down there," Gatford says, indicating the edge of the floor where a security guard can be seen on ground level. "Tell you what, if you can get his card, I'll give you 50 bucks." "You're on," I say. The guard has his card so high on his chest it is almost under his chin.
At this point I think I'm unbeatable so after one nerve-cooling circuit on the phone, I walk up to him checking my watch with my arm so high I know I look strange.
I don't care, though, because I figure customer service is a big thing in the corporate world and he'll keep his opinions to himself.
I ask him where some made-up law firm is as I hear the beep. Silver tongue It is 8:30am the next day and I am back in Gatford's office. We peruse the access cards. He opens up the large text file dump of yesterday's haul and tells me what the data fields represent. "These are the building numbers; they cycle between one and 255, and these are the floor numbers," he says.
There are blank fields and junk characters from erroneous scans. He works out which belong to Estate Brokers and writes them to blank cards.
They work. More reconnaissance.
Estate Brokers has more buildings that Gatford will test after your reporter leaves. He fires up Apple Maps, and Google Maps Street View. With the eyes of a budding red teamer I am staggered by the level of detail it offers.
Apple is great for external building architecture, like routing pathways across neighbouring rooftops, Gatford says, while Google lets you explore the front of buildings for cameras and possible sheltered access points.
Some mapping services even let you go inside lobbies. Today's mission is to get into the guards' office and record the security controls in place.
If we can learn the name and version of the building management system, we've won.
Anything more is a bonus for Gatford's subsequent report. We take the Estate Brokers stationery haul along with our access cards and fake identity badges and head out to the firm's second site. "Don't hesitate, be confident." But first, coffee in the lobby. We chat about red teaming, about how humans are always the weakest link. We eat and are magnanimous with the waiting staff.
Gatford gets talking to one lady and says how he has forgotten the building manager's name. "Jason sent us in," he says, truthfully. Jason is the guy who ordered the red team test, but we don't have anything else to help us.
The rest is up to Gatford's skills. It takes a few minutes for the waitress to come back.
The person who she consulted is suspicious and asks a few challenging questions. Not to worry, we have identity cards and Gatford is an old hand.
I quietly muse over how I would have clammed up and failed at this point, but I'm happily in the backseat, gazing at my phone. We use the access cards skimmed the day earlier to take the lift up to an Estate Brokers level.
It is a cold, white corridor, unkempt, and made for services, not customers.
There's a security door, but no one responds to our knocks.
There are CCTV cameras. We return down to the lobby. Michael is the manager Gatford had asked about. He is standing at the lifts with another guy, and they greet us with brusque handshakes, Michael's barely concealed irritation threatening to boil over in response to our surprise audit. He rings Jason, but there's no answer.
I watch Gatford weave around Michael's questions and witness the subtle diffusion.
It's impressive stuff. Michael says the security room is on the basement level, so we head back into the lift and beep our way down with our cards. This room is lined with dank, white concrete and dimly lit. We spy the security room beaming with CCTV. "Don't hesitate, be confident," Gatford tells me. We stride towards the door, knock, and Gatford talks through the glass slit to the guard inside. Gatford tells him our story. He's a nice bloke, around 50 years old, with a broad smile.
After some back-and-forth about how Jason screwed up and failed to tell anyone about the audit, he lets us in. My pulse quickens as Gatford walks over to a terminal chatting away to the guard.
There are banks of CCTV screens showing footage from around the building.
A pile of access cards.
Some software boxes. I hear the guard telling Gatford how staff use remote desktop protocol to log in to the building management system, our mission objective. "What version?" Gatford asks. "Uh, 7.1.
It crashes a lot." Bingo. Day one, heading up in a crowded lift.
Shot with a pen camera I look down and there are logins scrawled on Post-it notes. Of course.
I snap a few photos while their backs are turned. Behind me is a small room with a server rack and an unlocked cabinet full of keys.
I think Gatford should see it so I walk back out and think of a reason to chat to the guard.
I don't want to talk technology because I'm worried my nerves will make me say something stupid.
I see a motorbike helmet. "What do you ride?" I ask. He tells me about his BMW 1200GS. Nice bike.
I tell him I'm about ready to upgrade my Suzuki and share a story about a recent ride through some mountainous countryside. Gatford, meanwhile, is out of sight, holed up in the server room snapping photos of the racks and keys. More gravy for the report. We thank the guard and leave.
I feel unshakably guilty. From the red to the black Gatford and I debrief over drinks, a beer for me, single-malt whiskey for him. We talk again about how the same courtesy and acquiescence to the customer that society demands creates avenues for manipulation. It isn’t just red teamers who exploit this; their craft is essentially ancient grifts and cons that have ripped off countless gullible victims, won elections or made spear phishing a viable attack. I ask Gatford why red teaming is needed when the typical enterprise fails security basics, leaving old application security vulnerabilities in place, forgetting to shut down disused domains and relying on known bad practice checkbox compliance-driven audits. "You can't ignore one area of security just to focus on another," he says. "And you don't do red teaming in isolation." Carew and McKinnon agree, adding that red teaming is distinct from penetration testing in that it is a deliberately hostile attack through the easiest path to the heart of organisations, while the former shakes out all electronic vulnerabilities. "Penetration testing delivers an exhaustive battery of digital intrusion tests that find bugs from critical, all the way down to informational... and compliance problems and opportunities," they say in a client paper detailing aspects of red teaming [PDF]. "In contrast, red teaming aims to exploit the most effective vulnerabilities in order to capture a target, and is not a replacement for penetration testing as it provides nowhere near the same exhaustive review." Red teaming, they say, helps organisations to better defend against competitors, organised crime, and even cops and spys in some countries. Gatford sells red teaming as a package.
Australia's boutique consultancies, and those across the ditch in New Zealand, pride themselves on close partnerships with their clients.
They point out the holes, and then help to heal.
They offer mitigation strategies, harass vendors for patches, and help businesses move bit by bit from exposed to secure. For his part, Gatford is notably proud of his gamified social engineering training, which he says is designed to showcase the importance of defence against the human side of security, covering attacks like phishing and red teaming. He's started training those keen on entering red teaming through a three-day practical course. "Estate Brokers", like others signing up for this burgeoning area of security testing, will go through that training.
Gatford will walk staff through how he exploited their kindness to breach the secure core of the organisation. And how the next time, it could be real criminals who exploit their willingness to help. ®