what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, December 15, 2013

Black Box Penetration Testing

Before i start on this post, lemmie make it clear, there is nothing like BlackBox Vulnerability Assessment and there is nothing like Blackbox Internal Pentesting. "Shit people say to clients"
Black Box Pentesting is very different and as the world of Information Security changes to Information Risk this form of testing is changing and the clients will need a full and real service.

Forms of pentesting scenarios you should use when testing infrastructures are several, they should be real world. I will explain some here, that i have used over the years, most of them in Middle East and Europe. Just a few in Africa, but am still working through different contracts to educate clients how to pick Real World Pentesting from Normal Pentesting and away from Fake Pentesting.

Insider Threat

This is used a lot in the bank by criminals, where they will hire a developer, janitor or any other members of staff to provide info and access to the infrastructure.

Government Impostors

Pretending be a government agency, doing an investigation, e,g KRA, and due to that most people don't know the law, they will let you do anything to almost everything in an infrastructure.

Covert Data and Evidence Acquisition

Most Spy agencies and also Police use clandestine evidence gains, by hiring hackers to infiltrate a firm, especially Law Firms to gain access to vital information mostly for either National Security or just Superiority.

Thieves, literally Thieves

I have been in security tests where we have stolen wireless devices, broken into desks, jumped over fences, broke windows, cracked safes everything thieves do, I have had confrontation with guards and dogs, but one thing you gotta remember is that you are ethical hacker, and all that stuff you steal should be returned to the client either covertly or at the end of an operation.

Hackers on Hackers on Hackers, Brutal Brutal Hacking

Sometimes clients hire you to just pentest one server and they want this to be the target but they have it heavily secured against attacks and they thinks its safe. so whenever you try everything, it all gets caught and blocked, so as a pentester do you report it can't be broken into or do you do whatever it takes to take over? Well you should, hackers wont stop, they don't give in, they try to gain access to other servers and infrastructures trusted by the main target and so many other options on the ground.

Social Engineering

Talk good, use beautiful women, lie lie lie... is an operational gain during black box operations. Most employees have no Information Security Awareness training, 90% of people around us don't have careers but jobs, they don't care where they work, 90% of people around us are under paid, 90% bosses and leaders care less about their employees, we use that info to infiltrate an infrastructure.

Fraudsters

Most banks lose lots of money due to fraudsters, not just a hackers. So if you are testing stuff like Internet Banking, Mobile Banking and ATM Security, you need to think like a crazy Nigerian attacker. do some reading about them and let me know what you think.

Espionage

The Service and Research Organizations lose a lot of millions due to data leakage and theft. This mostly happens due to competition between two companies that offer the same service and if this is the highest risk that such an organization has, you should test it, since the client will surely need to know how far the damage will go.


Organized Criminals

I have seen so many banks lose millions due to organized crime, i know about these Banking Cartels that work with the CBK and other government offices to launder money and steal lots of it from different public offices and the normal pure Organized Criminals who just use everything to gain access to safes, and other important and secured commodities. So use of hardware like keyloggers, stakeouts, chase-outs, guards -payday, tailing, Mens-Lusts, family vulnerabilities, social media etc are used on such operations. Give the client the best.

Hacktivistism

A lot of organizations, groups, memberships are always targeted by different adversaries, who just want to deface and damage their names for a cause. These attacks mostly include website defacements, Denial of Service Attacks and many others which are not as sophisticated as the ones above. These tests are essential when you want to know how much damage you would get and how fast your Incident Handling team can handle and forensically investigate it.










Sunday, December 01, 2013

SURVEILLANCE ISSUES

Most of the time when we are doing Black Box Penetration Testing, we do get some issues on the way especially if it on a Target which has revised any form of Security Threats and has contingency plans



We all know BlackBox Penetration testing includes realistic threats to an Infrastructure either an Insider threat, Targeted attack, Fraud, Identity Theft, Govt Covert Operations, Espionage and Theft. So during these tests, we plan and execute as if we are conducting such an operation depending on what the Organization that has hired the professionals for such a service, actually needs.

So surveillance is one of the stages you will see such pentesters use against you and your employers. Most of the targeted are CEOs, Head Administrators, Gaurds (and their Companies), Janitors (Cleaners), Cooks, Businesses sharing the same building, Hanging out spots etc.

So when you profile a target, you will need to learn the subjects habits, friends, contacts, frequented places/joints. Also learning the neighborhood the target is located is very vital, since you will know how to watch the subject and from where.

So Surveillance or rather mostly Cut tailing, Stakeouts, Shadowing, Tailing (On foot or Mobile) is very essential before a social engineering attack or Physical /Operational gain-through to a organization.
Last month we watched an organization and we learned the guards love drinking on weekends, so we knew on Sundays they are more tired and hangover-ed and we used that against them on a Sunday afternoon, to get into the compound and gather more intel.

Some of the Issues we get during Surveillance

a) Losing the subject, especially when the operation has grown vital, e.g, like the moment you are almost getting some vital information and then everything goes cold, e.g Wifi Keys from his/her devices

b) Risk of being discovered. If the target discovers what your are doing, he/she (women do that a lot) might confront you or evade surveillance. Some of this may ensure to a chase, or involvement of law enforcement, which is counter productive. If its time to run be ready to run, if you've got good cover story be ready to use and make sure its effective and balances with the way you talk and dress, otherwise you are burned. Its important to act natural, sudden movements during a tail can easily get you noticed especially if the subject has learned counter-surveillance. People also try to show they know they are being watched, by acting so, it important to keep your cool and know its an attempt to harass you by just guessing you are a surveillant, which if you watch for a while, he/she might do the same to another person, who has no idea what is going on.

c) Long hours of stakes-out means no movements out and inside a vehicle. If you are in the vehicle, you gotta stick there until next shift, that may involve peeing in a bottle or paperbag. Most people cant do that,  its important to be strong mentally and be ready to do anything. Remember car stakeouts are not the way you see in movies, its much more different, e.g having two people sitting in a vehicle might raise attention, plan and be effective. Acting like two lovers is known to blend in and sell an operation.

d) Communication is vital between operatives, sometimes you will try to social engineer the target and if you don't have good communication with the people inside the compound, the operation might get blown. Constant communication between people on field and people controlling a zombie network, e.g waiting for a flash-disk to be inserted into computer is vital. Also try to encrypt any form of communication, even the keyloggers.

e) Tailing a vehicle is hard especially in Nairobi. Using GPS is one of the solutions we have used, but sometimes you will not get access to go near the car and attach a GPS equipment, so tailing such a car might need a two team surveillance and that increases the cost, though the operation is effective. Most people have not been trained how to do this and have no idea how to operate, so training a person how to cover a large area during surveillance is harder. Its also important to understand the area and follow the traffic rules, so locale reconnaissance is vital for such an operation. Night tailing is harder, due to Nairobi traffic, you can always send someone on foot to attach a reflective leaflet on a cars rear, that way its easy to spot the car at a distance.

With more projects, as they come through, i will be able to come up with a good list on how to counter some of these attacks.


There is a blog post am supposed to post later on this month, about Real World Penetration testing VS Normal Penetration Testing. This is probably important for banks who do Pentests and a month later, someone commits a fraud or hacks the Internet banking. Even though the pentesters broke into a workstation or a certain server, in a some way it might help the security dept, but how will it help the Bank to protect themselves against real world attacks.

Anyway, Great Sunday,

./Chucks