Red team hacker on how she 'breaks into buildings and pretends to be the bad guy'

It's the way you get the Execs' attention cos it makes it up close and personal to them.

Any number of insider trading scenarios spring to mind. Execs wield some fairly beefy powers depending on how you look at it. Plus if you own an exec you can fake being an exec...

I have seen many clients where their bosses demand access to everything, just because they are the boss. They think they should be able to access anything any of their employees can, even if they don't need access to it. We patiently explain why this is a bad idea. Some will get it. Some won't.

Execs?

I've worked mainly at small companies where the owner/founder/CEO is also the owner of the AWS/Github account, and absolutely they would have highest level access, even if they have to call on the assistance of the intern to actually do anything.

Depending on how the company is sttructured, and their position within the corporate structure, the exec may have access to a lot of info that could be of interest to hackers. They may have access to company finances, the design or engineering documentation for the company for instance.

I'm not saying that is the right way to set things up. Unless the exec has a specific need to access that info, they shouldn't have access to it. No one should have access to info at work they don't need to do their job, but not all companies are set up that way..Some have grown up from one man bands, where the founder is doing everything, so needs access to everything, and have carried on with that mind set, never really properly designing security. Companies in multi occupancy buildings are often like that because once they get big enough to start thinking about things like having an IT department, they are probably big enough to have the whole building.

Nonsense. Execs have those dashboards you mention and automatically generated reports. They will be logging in to authorize payments, time off, read minutes of confidential meetings, policies etc, etc. Many things that are not distributed via insecure email.

And no, they won't be using costly, wasteful ink jet printers when there are networked, cheap printers available for things that absolutely have to be printed.

Until our most recent Head Teacher, I resisted all requests to give them full access, either because they really were not IT savvy, or because I didn't trust them not to steal all our data and take it to another school.

Our current Head, he actually knows what he's doing, so he has almost complete access, read only though...

Re: David Avocado Wolfe

Just be thankful that nobody has invented a keyboard for jellyfish to operate.

Re: "We had found the credentials for their corporate Wi-Fi network in the trash [...]" Seriously?

Part of pen testing is proving to the C*s that human stupidity knows no bounds, and that they are not immune ... I once found a comprehensive list of machine names and login/password pairs written in sharpie on the underside of the leaves of a faux ficus in the office of the secretary of a VP. They included complete access to the corporate mainframes (including R&D). Quite a few people got reamed, and I'm absolutely certain that Amdahl's internal security culture was much better by the time Fujitsu bought them ...

Re: "We had found the credentials for their corporate Wi-Fi network in the trash [...]" Seriously?

"Bragging about 'hacking' such a soft target seems embarrassing."

It's not bragging, it's highlighting that such sloppiness is still out there. When I troubleshoot electronics, I start at the power supply. It can be the root problem often enough, but it can also be the easiest thing to repair. If you can find credentials in the trash, that's just a night of getting coated in cold coffee grounds rather than a week of online "hacking". It also means that getting in is less likely to sound an alarm.

Re: "We had found the credentials for their corporate Wi-Fi network in the trash [...]" Seriously?

If it's a shared building the "Corporate Wifi" will likely be shared amongst the users. We don''t know what companies occupy the building. We don't know how big the building is, or how many companies are in it. They may be large companies with their own IT support teams,, who make heavy use of the network (although these *should* have their own network that is locked down as much as possible, using the building's "corporate Wifi" mainly as a guest network) or they may be a bunch of small companies staffed by the owner and a couple of employees who just need the "Corporate Wifi" to connect their phones, tablets or laptops to the Internet..

Can't say I've been to many shared building (I used to work for a company in one, but this was *way* befoe Wifi was a thing), but I should imagine if it's just a building with dozens of individual businesses, each with one or two staff, they probably get quite a high turnover of users. Bearing in mind any tech support will likely be the cheapeast possible, it's entirely possible someone just created a generic account to access the Wifi, like you get in shops, restaurants or pubs when the owner wants to provide Wifi, but can't (or won't) pay for one of the big cloud Wifi providers to provide it..

That said, ANY network (wired or wireless) should not have any access to a network connected to any real corporate systems. Or, if it is necessary to provide access, require a VPN.

Re: "We had found the credentials for their corporate Wi-Fi network in the trash [...]" Seriously?

My shop offers a 'coffee shop' wifi network for staff to use with personal phones and client equipment. It is blocked from the corporate network and has the usual restrictions on gambling sites etc and 12ft.io but otherwise pretty open. Reception hands out passes that last 24 hours to visitors, sounds like it was something similar that the author found in the bins.

I would be happy not to read stuff like "hijack the amygdala", distracting bored office workers really isn't that difficult.

Re: She doesn't fit the hacker stereotype

What, pray tell, is "the hacker stereotype"?

Please tell me you don't think it's the idiots you see portrayed in the movies ...

_{Remember, movie rolls are usually written by people whose complete knowledge of system security can be found written on an old AOL floppy ...}

Re: She doesn't fit the hacker stereotype

I think in this story substitute grifter for hacker and you're closer to the role being played (Mickey in Hustle or Sophie in Leverage spring to mind).

Re: Train your users not to trust anyone

My firm did the same thing. The fun bit was everyone getting their P60 (end of tax year docs) from an external contractor no-one had ever heard of, with an incorrect company name appended to the email. The attachment? A macro-enabled MS word document! (.docm)

Naturally a large number of people reported it as dodgy to InfoSec, who did appreciate the response in a "we're really not impressed with Accounts" manner.

Accounts themselves sent a snotty email a day later complaining about all the enquiries they had received and telling us that we should have known the external accounting contractor existed.

This scenario also regularly happens to our CEO who types in a similar manner to really bad/obvious scam emails - lots of Times New Roman, bold fonts and weird formatting.

Re: Train your users not to trust anyone

"My organisation has a "report phish attempt" button in the email client and periodically sends out fake phishing emails to randomly selected staff members. Falling for the emails enrols you in mandatory email security training.

Then one day fairly recently a legitimate email went out with a link to an online training course on an external system nobody had ever heard of, when we have our own internal systems for online training. It ended up being reported as phishing by so many staff that it was followed up by a surprisingly tersely worded email informing us of its legitimacy. I assumed it was legitimate but reported it too because I enjoy the chaos...

Anyway you'd think they'd have thanked the staff for taking (that part of) security seriously. Oh well."

Probably we work for the same company, then.

Over the last years, I had a couple of very suspicious emails I had to report. They were legit. but from a *very* clueless outsourcer.

WTF is sending legit emails with only images in them ???

Re: Fake company researching for quote

Well if that's the case, things have changed dramatically in the last 20 years!

> It's suprising what you can get away with if you just look like you belong somewhere.. It's like the old adage of "just wear a high-viz jacket, or a jacket with "security" on it"

Way back when, the advice I heard was "carry a clipboard and look busy".

Nowdays maybe not a clipboard, but you get the idea.

Re: Learned helplessness...

"What's more likely, that the person I'm about to ask to leave the building is a professional thief / pen-tester or that for the 3rd time this month someone new has been hired and no one bothered to tell the IT department about them or issue them any ID?"

Remembers the occasion quite a few years ago when I went into the office, sat down and started working and someone I didn't recognise came over and asked me "who are you, why are you here? and how did you get in?" - me: "I work here", them: "No you don't, I've been here for 7 months and I've never seen you before", me: "Yeah? I've been here for 3+ years but normally I work on-site in <insert different country name> or from home when I'm back in the country".

Re: Learned helplessness...

I wish I could award more than 1 up vote for this!