Stealing, scamming, bluffing: El Reg rides along with pen-testing 'red team hackers'
Broad smiles, good suits and fake IDs test security in new dimensions
Feature "Go to this McDonald's," Chris Gatford told me. "There's a 'Create Your Taste' burger-builder PC there and you should be able to access the OS. Find that machine, open the command prompt and pretend to do something important.
"I'll be watching you."
Gatford instructed your reporter to visit the burger barn because he practices a form of penetration testing called "red teaming", wherein consultants attack clients using techniques limited only by their imagination, ingenuity, and bravado.
He wanted me to break the burger-builder to probe my weaknesses before he would let The Register ride along on a red-team raid aimed at breaking into the supposedly secure headquarters of a major property chain worth hundreds of millions of dollars.
Before we try for that target, Gatford, director of penetrations testing firm HackLabs, wants to know if I will give the game away during a social engineering exploit.
HackLabs' Chris Gatford at his office in Manly, New South Wales (Image: Darren Pauli / The Register)
So when the McDonald's computer turns out to have been fixed and my fake system administrator act cancelled, we visit an office building's lobby where Gatford challenges me to break into a small glass-walled room containing a shabby-looking ATM.
I can't see a way into the locked room. I think I see a security camera peering down from the roof, but later on I'm not sure I did. I can't think of a way in and I'm trying to look so casual I know I'm certain to look nervous.
Time's up. Gatford is finished with the lobby clerk. He asks how I would get in, and hints in my silence that the door responds to heat sensors.
I mutter something stupid about using a hair dryer. Gatford laughs and reminds me about heat packs you'd slip into gloves or ski boots. "Slide one of those under the crack," he says.
I've failed that test but stayed cool, so Gatford decides he's happy to have me along on a red-team raid, if only because red teams seldom face significant resistance.
"At the end of the day, people just want to help," Gatford says.
Costume is therefore an important element of a red team raid. For this raid, our software exploits are suits and clipboards. Sometimes it's high-visibility tradie vests, hard hats, or anything that makes a security tester appear legitimate.
Once dressed for the part, practitioners use social-engineering skills to manipulate staff into doing their bidding. Fans of Mr Robot may recall an episode where the protagonist uses social engineering to gain access to a highly secure data centre; this is red teaming stylised. Think a real-world capture the flag where the flags are located in the CEO's office, the guard office, and highly secure areas behind multiple layers of locked doors.
By scoring flags, testers demonstrate the fallibility of physical defences.
Only one manager, usually the CEO of the target company, tends to know an operation is afoot. Limited knowledge, or black-box testing, is critical to examine the real defences of an organisation. Red teamers are typically not told anything outside of the barebones criteria of the job, while staff know nothing at all. It catches tech teams off guard and can make them look bad. Gatford is not the only tester forced to calm irate staff with the same social engineering manipulation he uses to breach defences.
Red teamers almost always win, pushing some to more audacious attacks. Vulture South knows of one Australian team busted by police after the black-clad hackers abseiled down from the roof of a data centre with Go-Pro cameras strapped to their heads.
Across the Pacific, veteran security tester Charles Henderson tells of how years back he exited a warehouse after a red-teaming job. "I was walking out to leave and I looked over and saw this truck," Henderson says. "It was full of the company's disks ready to be shredded. The keys were in it." Henderson phoned the CEO and asked if the truck was in-scope, a term signalling a green light for penetration testers. It was, and if it weren't for a potential call to police, he would have hopped into the cab and drove off. Henderson now leads IBM's new red-teaming unit in the United States, which he also built from the ground up.
"There are some instances where criminal law makes little distinction between actions and intent, placing red teams in predicaments during an assignment, particularly when performing physical intrusion tasks," Nathaniel Carew and Michael McKinnon from Sense of Security's Melbourne office say. "They should always ensure they carry with them a letter of authority from the enterprise."
Your reporter has, over pints with the hacking community, heard many stories of law enforcement showing up during red-team ops. One Australian was sitting off a site staring through a military-grade sniper scope, only to have a cop tap on the window. Gatford some years ago found himself face-to-face in a small room with a massive industrial furnace while taking a wrong turn on a red-team assignment at a NSW utility. He and his colleagues were dressed in suits. Another tester on an assignment in the Middle East was detained for a day by AK-47-wielding guards after the CEO failed to answer the phone. Red teamers have been stopped by police in London, Sydney, and Quebec, The Register hears.
One of Australia's notably talented red teamers told of how he completely compromised a huge gaming company using his laptop and mobile phone. Whether red teaming on site or behind the keyboard, the mission is the same: breach by any means necessary.