Stealing, scamming, bluffing: El Reg rides along with pen-testing 'red team hackers'

Equipment check

A fortnight after the ATM incident, The Register is at HackLabs' Manly office. It's an unassuming and unmarked door that takes this reporter several minutes to spot. Upstairs, entry passes to international hacker cons are draped from one wall, a collection of gadgets on a neighbouring shelf. Then there's the equipment area. Scanners, radios, a 3D printer, and network equipment sit beside identity cards sporting the same face but different names and titles. There's a PwnPlug and three versions of the iconic Wi-Fi Pineapple over by the lockpicks. A trio of neon hard hats dangle from hooks.

"What do you think?" Gatford asks. It's impressive; a messy collection of more hacking gadgets than this reporter had seen in one place, all showing use or in some stage of construction. This is a workshop of tools, not toys.

"No one uses the secure stuff, mate."

In his office, Gatford revealed the target customer. The Register agrees to obscure the client's name, and any identifying particulars, so the pseudonym "Estate Brokers" will serve. Gatford speaks of the industry in which it operates, Brokers' clientele, and their likely approach to security.

The customer has multiple properties in Sydney's central business district, some housing clients of high value to attackers. It has undergone technical security testing before, but has not yet evaluated its social engineering resilience.

The day before, Gatford ran some reconnaissance of the first building we are to hit, watching the flow of people in and out of the building from the pavement. Our targets, he says, are the bottlenecks like doors and escalators that force people to bunch up.

He unzips a small suitcase revealing what looks like a large scanner, with cables and D-cell batteries flowing from circuit boards. "It's an access card reader", Gatford says. It reads the most common frequencies used by the typically white rigid plastic door entry cards that dangle from staffer waists. There are more secure versions that this particular device does not read without modification. "No one uses the secure stuff, mate," Gatford says with the same half-smile worn by most in his sector when talking about the pervasive unwillingness to spend on security.

I point to a blue plastic card sleeve that turns out to be a SkimSAFE FIPS 201-certified anti-skimming card protector. Gatford pops an access card into it and waves it about a foot in front of the suitcase-sized scanner. It beeps and card number data flashes up on a monitor. "So much for that," Gatford laughs.

He taps away at his Mac, loading up Estate Brokers' website. "We'll need employee identity cards or we'll be asked too many questions," Gatford says. We are to play the role of contractors on site to conduct an audit of IT equipment, so we will need something that looks official enough to pass cursory inspection.

The company name and logo image is copied over, a mug shot of your reporter snapped, and both are printed on a laminated white identity card. Gatford does the same for himself. We're auditors come to itemise Estate Brokers' security systems and make sure everything is running.

"We should get going," he says as he places hacking gear into a hard shell suitcase. So off we go.

Beep beep beep beepbeepbeep

Our attack was staged in two parts over two days. Estate Brokers has an office in a luxurious CBD tower. We need to compromise that in order to breach the second line of defences. We'll need an access card to get through the doors, however, and our laptop-sized skimmer, which made a mockery of the SkimSAFE gadget, will be the key.

It is 4:32pm and employees are starting to pour out of the building. Gatford hands me the skimmer concealed in a very ordinary-looking laptop bag. "Go get some cards," he says.

Almost everyone clips access cards on their right hip. If I can get the bag within 30cm of the cards, I'll hear the soft beep I've been training my ear to detect that signals a successful read. Maybe one in 20 wear their access cards like a necklace. "Hold your bag in your left hand, and pretend to check the time on your watch," Gatford says. That raises the scanner high enough to get a hit.

I'm talking to no one on my mobile as I clumsily weave in and out of brisk walking staff, copping shade from those whose patience has expired for the day. Beep. Beep. Beep, beep, beep, beep, beepbeepbeepbeep. There are dozens of beeps, far too many to count. Then we enter a crowded lift and it's like a musical. It's fun, exhilarating stuff. The staff hail from law firms, big tech, even the Federal Government. And we now have their access cards.

Estate Brokers is on level 10, but we need a card to send the lift to it. No matter, people just want to help, remember? The lady in the lift is more than happy to tap her card for the two smiling blokes in suits. Gatford knows the office and puts me in front. "Walk left, second right, second left, then right." I recite it. With people behind us, I walk out and start to turn right, before tightening, and speeding up through the security door someone has propped open.

We enter an open-plan office. "They are terrible for security," I recall Gatford saying earlier that day. It allows attackers to walk anywhere without the challenge of doors. Lucky for us. Gatford takes the lead and we cruise past staff bashing away their final hour in cubicles, straight to the stationery room. No one is there as Gatford fills a bag with letter heads and branded pens, while rifling through for other things that could prove useful.

We head back to the lobby for a few more rounds of card stealing. Not all the reads come out clean, and not all the staff we hit are from Estate Brokers, so it pays to scan plenty of cards. "Look out for that guard down there," Gatford says, indicating the edge of the floor where a security guard can be seen on ground level. "Tell you what, if you can get his card, I'll give you 50 bucks."

"You're on," I say.

The guard has his card so high on his chest it is almost under his chin. At this point I think I'm unbeatable so after one nerve-cooling circuit on the phone, I walk up to him checking my watch with my arm so high I know I look strange. I don't care, though, because I figure customer service is a big thing in the corporate world and he'll keep his opinions to himself. I ask him where some made-up law firm is as I hear the beep.