7 min read
Ethical hacker horror stories: why businesses should take security seriously
Hovering near the conference room of a fourth-floor office, Richard De Vere was escorted down the stairs by a security guard who realised he didn’t have a security pass. Depositing him at the reception desk, the guard left, leaving De Vere to think on his feet.
He concocted a tale about a meeting with an accountant at the company, to interview him for a university newspaper. The receptionist bought the story – which included how shocked he’d been at the rudeness of the guard – and issued him with a visitors’ pass, allowing him access to the building and the chance to plant his spyware.
Another time, he was ejected from one building he was trying to gain access to, only to walk around the back and get in via an open door. Two minutes later, he was sitting in his car with access to all of the company’s data, thanks to the device he had deposited inside.
This is the world of ethical hacking, and West Yorkshire-based De Vere is an expert. He set up The Antisocial Engineer in Brighouse with managing director Jade Wenban at the end of 2014, and now works with businesses across Europe, testing their security systems to the limit.
The tools of an ethical hacker
“It’s not a military or James Bond job, it’s sometimes quite mundane,” he says, modestly, though it was his team that alerted TalkTalk to their data breach in 2015.
In his arsenal, De Vere has audio bugs, trackers, cameras the size of matchboxes, network devices that can be placed behind plant pots and thermal imaging cameras which allow you to see where people are in a building from outside. All of them are used in his work – placed in discrete locations to allow him to gain control over a business – and all are readily available on Amazon.
Though his intentions are honest, he believes businesses in the North need to wise up to the threats out there.
“People think this kind of thing is still pie in the sky, but there are companies on Amazon selling thousands of these pieces of equipment and if they’re selling them, they’re being planted somewhere,” he says.
In one case in 2017, he was challenged with gaining entry to the high-security, global offices of a finance business to penetrate its network. Knowing he probably wouldn’t just be able to walk in, De Vere and the team bought a dropbox – a small device used to gain network access wirelessly – which they charged up and fitted with a GPS tracker. They then collected as many employee email addresses as they could, sent them a spam email and waited for any out-of-office replies. Using social media, they discovered which of these employees were legitimately out of the office and the device was packed up in Amazon packaging, then sent to one of them by courier. When it arrived, and no doubt sat on that person’s desk for a while, the device connected to the business’s network and was used to run wireless penetration tests.
It’s an extreme example, but one that could potentially happen and bring a business to its knees.
“The problem is businesses in the North are not taking this seriously,” De Vere says.
Email addresses are the keys to your business
“If someone said to me, I can hack your email I’d be terrified, but most people don’t see the connection and businesses are the same.”
“With an email I can get your bank details and ID, I can start ordering things like cars and phones and, before long, you would be destroyed. That’s the hardest challenge, and people have to face up to the realities. If my sole intention was to end a business’s trading activity I could do it, and that should be taken seriously.”
Once a business has booked the Antisocial Engineer to test its security, De Vere’s job starts with research on the company; how it operates, what websites and social media it has before he starts pulling out staff names. “We’ll find a few hundred staff names from social media services, for example, and then we convert them to email addresses and start to send them phishing emails,” he says. “People think that a phishing email involves you clicking a link to a Nigerian prince, but nowadays phishing is different – it’s a lot more natural.”
“For instance, I might go into an email and dig down 20 emails and find a message that says the sender is going to forward on a link the following week. I ring up and say ‘hi, I’m picking up on Dave’s email and I’m going to send you a link’, I send the link and they click on it.”
De Vere’s business was one of the first in the UK to sell ‘SMShing’ as a service, which involves sending text messages enticing recipients to click on a link. In this case, he might pretend to be the IT department requesting an employee clicks a link to reset their password.
While a job may start on a Monday with this research and phishing attempts, by the Thursday it could be that De Vere is attempting a security breach in person. Here he must weigh up his approach – whether he will be playing the role of a delivery worker or the nephew of a board member, in cases where he has discovered that board member is absent that day. Often it can be a case of thinking on his feet.
“I dress smart casual and I try to change my attitude to adapt to the situation, if the receptionist is bubbly then I’ll reply with an upbeat tone,” he says. “If someone was to approach me and ask what I was doing I can be assertive and blend in.”
“I’ve used a company’s own email account before to send an email to reception to say ‘I’ve got a guest coming in, can you offer him a tea or coffee, give him a desk and a work station, etc’. It’s all about mixing it up so that people don’t expect it.”
When he’s in the building, it will be a case of planting some spyware, stealing a USB or taking pictures of a boardroom – anything to show he has exploited a flaw in security. Afterwards he prepares a report to the board, and the contents can be eye-opening. In most cases it leads to extra training for staff.
“It’s a massive shock to the company and has tangible meaning to them to say we’ve managed to steal a piece of equipment from them,” he says. “Other testing can give them a green tick or certificate that shows everything is fine, but we show the real-case scenario and we can come in and say everything is broken.”
“The scariest thing is things are repeatable and scaleable. You can start with a business name on a Monday morning and by the Friday evening you’re able to control the operations of that business.”
Sometimes the risk is worth taking
Manchester-based Jahmel Harris agrees that the biggest issue is making businesses take security flaws seriously. He runs Digital Interruption, which provides cyber security training and penetration testing.
When he ran penetration tests on a fintech app, he discovered a way to take money from users’ accounts.
“They were already in the app store and being used by people, but they weren’t keen to get it fixed because it would have needed a redesign of the app and they were a small company,” he says. “The cost to fix it was greater than the risk to them but if they’d discovered that issue earlier by having that security knowledge in their team it would have been a cheap fix.”
“That can be quite frustrating for a security tester, we do a lot of work to find something and it’s ignored.”
How can your company step up cyber security?
While the arrival GDPR will mean that companies must comply or face a fine, that’s not the end of the problem, according to Harris. “Being compliant doesn’t necessarily mean secure,” he says.
“When it becomes a box-ticking exercise you have to ask, how useful is the test? There are always things I find that organisations could be doing better. A company could be well protected externally but internally they’re using weak or outdated software so people’s work stations aren’t protected or the network isn’t segmented.”
Some businesses will give Harris a set time to test their security, yet while he may not find anything too serious in the ten or so days he’s been given, he always warns an attacker will have much longer. For this reason, it’s always good to expect the worst.
“If you make assumptions that you will be hacked it means that, as an organisation, you start to protect your vulnerable assets. This way, if somebody does get a phishing link and clicks on it, it doesn’t mean your sensitive data is going to be compromised before you have chance to protect it.”
“Get your employees thinking about phishing emails because the more aware people are about security the less likely you are to fall a victim.”
For the past year, Harris has run Manchester Grey Hats to encourage more people to become interested in cyber security. Up to 35 people meet up once a month at MadLab for workshops and capture the flag events, and the group has run workshops at universities. Some members are would-be ethical hackers, others are developers keen to learn more about security.
“There’s a skill shortage in the city and this is an attempt to try and bring these skills to people so they can move into security testing,” he says, adding that some have gone on to work in penetration testing. “For a lot of us this is a passion and it’s rewarding when we see people coming to use and finding that security is something they could do as a job.”