Pyr0 on “the art of espionage” at Shakacon

Sarah Blankinship and I are presented Securing with the Enemy: Social strategy and team of rivals at Shakacon today.  More about our talk later; this post has notes from the keynote presentation on The Art of Espionage, by Luke McOmie (aka Pyr0) of British Telecom.

Luke’s consulting includes “real world risk assessments”, which sometimes involves breaking into his clients’ companies to test their security.  So it’s a great opportunity to hear about the kinds of techniques the real bad guys use.  Fascinating stuff!

Goal for talk: help develop the mindset needed to underatnd and implement strong security in real world environments.  “A lot of people take templates and manipulate them to fit their environment … but that’s just putting yourself in a box!”

How frequently do people planning and implemeting corporate security systems  interact with the rest of the company?  Too often it’s a monthly meeting, involving CSO/CFO/CIO etc … but the threats happen all month long.  Average cost of “major incident” up to $480K (from $168K in 2006).  Several small and medium companies have gone out of business as a result.

People focus almost purely on the technology, and then write processes — almost no attention to the people.  Better: more balanced, make sure people are adequately trained against the threats: physical, electronic, malfunction/inherent, social engineering, blended threat.

Example electronic threat: RFID capture/spoofing/replay — Zac Franken et al last year rigged something up at Black Hat which read your card when you walked on it and took a picture of a webcam; Chinese companies like DealExtreme and YoPool are selling spoofers.

Another: an attack on a US electronic gaming company, traced down to a coordinated team in Turkey — for example, redirecting people who wanted to buy weapons in the game with credit cards to the attackers web site which mirrored the same site.  It turned out to be a company trying to get the distribution rights in Turkey.  Cost of attack: $15-$30K, including 14-32 people red team; cost to gaming company: $945K.

Example social engineering attack: fake email from the VP of HR saying “everybody needs to visit this site to ensure we’re FIPS compliant”, redirecting people to a spoofed site which looks like the corporate site but instead actually harvests information — including network credentials.  “Typically when I send this to 50 people, at least 30 to 40 fall for it.”

Another example: printed 12 CDs with the company logo and wrote “Payroll” on them, and dropped them in the mailroom, bathroom, and other public areas.  (Recommend using Metasploit’s MSFPayload in this situation.)  Within two hours, we had access to 8 machines … by the next day, 20 — including people’s home machines.  Some people were well-trained, and turned it in to accounting; accounting said “I don’t kno what this is”, so put in the CD to check … and boom, we were on the private financial network.  [They shouldn’t have been connected to the

Spoofapp/spoofcard: free download, for $10 you can have a different number show up from your cellphone calls for 60 minutes.  Example: a call from my phone looks like it comes from the US Secret Service.  Can change your voice from mail to female, record your calls.  [Don’t use it for illegal purposes — if they get hit with a subpena, they’ll cooperate.  For that, you need your own asterix sever.]


Try this at home (your office): information gathering, vulnerability analysis (it’s not just the computers!), target selection, planning, execution.  For vulnerability analysis and potential targets, look at internal, external, hired (e.g. cleaning crews), personal.  Keys to executing the attack: get what you need, don’t get greedy, and get out cleanly.

For remote info gathering, Maltego (formerly Paterva) lets you take a phone number, name, or email address and get all kinds of information.  “The tool’s amazing”.  Spokeo allows you to harvest and mine social network sites.  “You can sign up for free — you don’t even need to give them a real info…. after I’ve used Maltego to get information about, say, the head of IT, I’ll use Spokeo to find out information like their hobbies etc.”  Also Google hacking, Hoovers (the #1 business intelligence site on the internet), public records, google maps.  “Google is the single largest data mining project on this earth.

Preparing you for the attack: your brain is the most important tool you have.  Law enforcement uses a stop light metaphor.  Most people are in the “green” stage: comfortable, unaware of threats.  Yellow: alert, aware of your surroundings, attentive, watchful — most security people are in this state.  Red: heightened awareness, waiting for something to go wrong, prepared for the worst … and so able to react instantly.  “If you’re challenged, you need to reply instantly. ‘Who are you?’ ‘uh .. uh .. uh’  They won’t believe anything you say.”

Physical preparation: get a business card printed — with your name on it so it matches your identification.  TO get a company shirt, visit local thrift cords.  Bring a change of clothes … and electrical tools to bypass locks.

USB switchblade: plug it into a machine, within a minute it gets all the account, network information, etc.