what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, December 01, 2013

SURVEILLANCE ISSUES

Most of the time when we are doing Black Box Penetration Testing, we do get some issues on the way especially if it on a Target which has revised any form of Security Threats and has contingency plans



We all know BlackBox Penetration testing includes realistic threats to an Infrastructure either an Insider threat, Targeted attack, Fraud, Identity Theft, Govt Covert Operations, Espionage and Theft. So during these tests, we plan and execute as if we are conducting such an operation depending on what the Organization that has hired the professionals for such a service, actually needs.

So surveillance is one of the stages you will see such pentesters use against you and your employers. Most of the targeted are CEOs, Head Administrators, Gaurds (and their Companies), Janitors (Cleaners), Cooks, Businesses sharing the same building, Hanging out spots etc.

So when you profile a target, you will need to learn the subjects habits, friends, contacts, frequented places/joints. Also learning the neighborhood the target is located is very vital, since you will know how to watch the subject and from where.

So Surveillance or rather mostly Cut tailing, Stakeouts, Shadowing, Tailing (On foot or Mobile) is very essential before a social engineering attack or Physical /Operational gain-through to a organization.
Last month we watched an organization and we learned the guards love drinking on weekends, so we knew on Sundays they are more tired and hangover-ed and we used that against them on a Sunday afternoon, to get into the compound and gather more intel.

Some of the Issues we get during Surveillance

a) Losing the subject, especially when the operation has grown vital, e.g, like the moment you are almost getting some vital information and then everything goes cold, e.g Wifi Keys from his/her devices

b) Risk of being discovered. If the target discovers what your are doing, he/she (women do that a lot) might confront you or evade surveillance. Some of this may ensure to a chase, or involvement of law enforcement, which is counter productive. If its time to run be ready to run, if you've got good cover story be ready to use and make sure its effective and balances with the way you talk and dress, otherwise you are burned. Its important to act natural, sudden movements during a tail can easily get you noticed especially if the subject has learned counter-surveillance. People also try to show they know they are being watched, by acting so, it important to keep your cool and know its an attempt to harass you by just guessing you are a surveillant, which if you watch for a while, he/she might do the same to another person, who has no idea what is going on.

c) Long hours of stakes-out means no movements out and inside a vehicle. If you are in the vehicle, you gotta stick there until next shift, that may involve peeing in a bottle or paperbag. Most people cant do that,  its important to be strong mentally and be ready to do anything. Remember car stakeouts are not the way you see in movies, its much more different, e.g having two people sitting in a vehicle might raise attention, plan and be effective. Acting like two lovers is known to blend in and sell an operation.

d) Communication is vital between operatives, sometimes you will try to social engineer the target and if you don't have good communication with the people inside the compound, the operation might get blown. Constant communication between people on field and people controlling a zombie network, e.g waiting for a flash-disk to be inserted into computer is vital. Also try to encrypt any form of communication, even the keyloggers.

e) Tailing a vehicle is hard especially in Nairobi. Using GPS is one of the solutions we have used, but sometimes you will not get access to go near the car and attach a GPS equipment, so tailing such a car might need a two team surveillance and that increases the cost, though the operation is effective. Most people have not been trained how to do this and have no idea how to operate, so training a person how to cover a large area during surveillance is harder. Its also important to understand the area and follow the traffic rules, so locale reconnaissance is vital for such an operation. Night tailing is harder, due to Nairobi traffic, you can always send someone on foot to attach a reflective leaflet on a cars rear, that way its easy to spot the car at a distance.

With more projects, as they come through, i will be able to come up with a good list on how to counter some of these attacks.


There is a blog post am supposed to post later on this month, about Real World Penetration testing VS Normal Penetration Testing. This is probably important for banks who do Pentests and a month later, someone commits a fraud or hacks the Internet banking. Even though the pentesters broke into a workstation or a certain server, in a some way it might help the security dept, but how will it help the Bank to protect themselves against real world attacks.

Anyway, Great Sunday,

./Chucks






1 comment:

Black Hat said...

Cool one. Cheers bro