Black Hills Infosec founder John Strand discusses The Wild West Hackin’ Fest - a unique security conference that emphasizes diversity and lowering the barriers to entering the world of security...
January 7, 2021 |
FC is a well-known ethical hacker and social engineer. He has been working in the infosec field for over 20 years and excels at circumventing access controls.
He has held positions in his career such as Senior Penetration Tester as well as Head of Social Engineering and Physical Assessments for renowned penetration companies. As Head of Cyber Research for Raytheon Missile Systems, and having worked closely alongside intelligence agencies, he has cemented both his skillset and knowledge as well as helped steer governments take correct courses of action against national threats.
As an ethical hacker and social engineer, FC ‘breaks into’ hundreds of banks, offices and government facilities in the UK and Europe. His work exposes weaknesses in physical, personnel and digital controls, thereby helping organisations improve their security. He is motivated by a drive to make individuals, organisations and countries more secure and better able to defend themselves from malicious attack.
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:All Posts by Malicious Life Podcast
If you were given a top-secret mission, to steal a highly sensitive document from an international megacorporation, how would you do it?
“[FC] So this was a very large corporation, one that if you said the name out loud, everyone would know it. They’d be like, “Oh. OK, those people.”
Our story begins at a megacorporation HQ.
“[FC] This was a massive site as well. We’re talking like several buildings on a huge campus that was… yeah, very well guarded.”
We’re not talking about some run-of-the-mill retail or fast food chain–this is the kind of place that has important things they don’t want you to see, and enemies who want to get their hands on it.
“[FC] Imagine a huge campus encased in a really high security fencing, you know the barbwire, the lock, everything and they had a great security system for getting people in and out, right? So, if you showed up in a car, for example, there were ANPR camera recorders that read your number-plate and said if you’re expected or not. They had great security cameras there. They had guards on the door making sure like everyone in the car was actually meant to be in the car with – if they’re expected.”
To cover the threat of car bombs, the facility allows no parking near the building.
“[FC] So what they did was they set up a park and ride system. Now that’s a system where you have a car park miles away and then a small shuttle bus that picks people up from the car park regularly and takes you on to the site, kind of like how an airport car park works, right?”
Between barbed wire fencing, a system of security cameras, and guarded checkpoints, it’s like an airport, or maybe a border crossing. But upon further inspection, there seemed to be a hole in the system.
“[FC] And so I find out where this car park is just by following people every day. And after a couple of days, I found the car park, I’d literally just drive into the car park. No one checks who I am because it’s a public car park essentially.
And I waited around for the bus to turn up and then I’d get on the bus. And nobody checks who I am. No one checks for a badge to say you’re going to this site because, well, they’re the only people going to the site. No one tries to get into someone else’s office, right. So I’m sat on the bus and we pulled up to the gate and you know the guard comes over, he’s expecting the bus. The bus is recognized by the ANPR system. The guards recognize the driver. They recognize these people on the bus that coming to work and they just let the van in. So we just like drive this bus right up to the reception and everyone gets off the bus. [. . .]
So I get into the building. That’s nice and easy.”
Every other person in the facility is an employee who knows where they’re going. And, you know, isn’t trying to steal sensitive company secrets.
“[FC] I was walking around the offices trying to work out like you know where can I go? What’s going to be valuable [. . .] I thought, oh what about this sort of you know the main people that the – the sort of bosses of the building. So I located their offices and thankfully, the bosses were out. They’re out for some meeting or something. And there was a secretary outside of their offices. And I thought, OK, I need to somehow get into their office, but I need to get past this secretary.
So I picked up a pad and pencil from a at a nearby desk, just took it off the desk and wandered over and was trying to act a little bit bumbly like I was always like knocking stuff off her desk and stuff as I was trying to talk to her and kind of be a little bit flirtatious but also try to ask her some questions that didn’t really make sense about where the bosses were, et cetera.
In the process of doing all this and trying to distract her, I stole some stuff from her desk, right, so she had like a little pile of paperwork on her desk. So I actually stole that and thanked her for her time and wandered off.”
Maybe the secretary’s papers would be a clue to where the really good stuff is.
“[FC] I went through the paperwork thinking there might be something interesting in there. And what I found was a letter from the board of directors to the two bosses that were in this building firing them for doing fraudulent stuff.”
A document with proof of fraud at the executive level.
“[FC] And that type of information will be incredibly valuable because, [A] you could do like insider trading for share prices, et cetera. Going down, you could use it for blackmail against the directors that didn’t know that they were about to be fired.”
Hacking large corporations, banks, governments, isn’t usually easy, but there are ways to do it. You could phish the right employee, then escalate privileges. You could find a zero-day in a particular software program used by the organization.
Or, you don’t even have to start in cyberspace.
Physical breaches–stolen machines, tampered-with machines, insider access, hacking buildings themselves–aren’t the most widespread security threat out there. But they exist. According to a Verizon report from 2020, physical actions are the sixth most common way that data breaches occur. And they’re effective, too. Think about it like this: would you rather have to remotely hack into a laptop, or just swipe it off a desk?
Physical security isn’t something we talk about much, but we’re going to today. Hi, I’m Ran Levi, welcome to Malicious Life, in collaboration with Cybereason. In this episode we’re going to learn how to break into secure buildings, or prevent others from doing it to you.
“[FC] My name is FC, aka Freaky Clown. I am the Co-Founder and Co-CEO of a cybersecurity company called Cygenta based in the UK, but we work globally.”
Cygenta is not like other cybersecurity companies, and FC isn’t like other hackers. His specialty is cyber-physical security. Breaking into buildings. Red teaming for corporations, banks, governments but, you know, IRL.
That makes his workflow a bit different. Like, for example, the first step in most major breaches is reconnaissance–exploring an organization’s digital infrastructure and their employees to find where they’re most exposed. FC’s recon involves actually going somewhere, and probably bringing some binoculars.
“[Nate] is it like the movies where you’re just sitting there in your car or sitting with the newspaper on the back?
[FC] OK. It is sometimes more mind-numbingly boring than that, sometimes it gets right pretty cold. I remember once – reconnaissance and a very… Oh, I can’t really say too much about all of it. There was a building I had to look at and I climbed over this barbwire fence at like 3:00 in the morning and I climbed through this like thorn bush, got completely shredded by and I was bleeding everywhere. And I had a ski mask on, I had night vision goggles and I had to sit in this ditch. It was the only place of like the cover was this ditch, so it was close enough. And the ditch was half-filled with like muddy water and it just started to snow and I was really cold and wet and dirty and bleeding and I had to sit there for like three or four hours just to watch this door in order to gain some Intel before I went back to my hotel room.”
After the recon phase, hackers usually send a phishing email or text to their victim, containing a malicious link or PDF. After his recon, FC does something much more simple. In fact, he doesn’t even need to be a hacker for this part.
“[FC] So I never start with the digital first because the digital is actually harder than the physical and this sounds absolutely crazy, but it’s genuinely true. It is much easier to walk into a bank or any secure building than it is to digitally break in.”
Just…walking in the front door…
“[FC] Oh, as you’ll be really, really shocked at how easy it is. [. . .] I remember years and years ago, I was on site for a physical test and there was a couple members of our company that were there [. . .] And one of them said to me like, “Oh I’d really love to like learn how to do the stuff you do.” I’m like, “It’s so easy. Just walk in.” and he said, “OK. Well, what do I do?” I said, “Well, you’re not really authorized to do this but I’ll show you how easy it is.” So I’m like, “Come with me. We’ll walk to the front of the building.” I’m like, “Look through the front windows and you can see how the set up is, right?”
So the set up is there’s a couple of this electronic barriers. So someone goes up, they swipes the card, the barriers swipe apart and they walk through. OK. So all you have to do is follow someone through, right? The way these barriers work is they work with a sort of a small beam like it was across, right. So if a large person with a suitcase is going through, it doesn’t shut the doors in the suitcase. All right. So imagine you’re as close as physically possible to the person in front of you that’s legitimately allowed to go in. And if you get close enough, it’s going to count you as one person.
Now, all you have to do is make them feel awkward. [. . .] humans are really bad at being awkward and they want to get away from that situation as quickly as possible. So the more awkward you make it for that person, then the less likely they are to confront you and the more likely you are to succeed. So it’s like it’s drizzling a little bit, all you have to do is run to the front door. Run through the front door and basically, you run into the back of someone who’s just going through that gate. So he was like, “Is it like that easy?” and I’m like, “Yeah. It’s really that easy.”
So all he did was he ran up to the sort of the front door, ran through the doors and picked up a person at random who was just swiping their card, ran into the back of them and he basically say, “Oh, I’m really sorry. I was busy trying to get through really quickly.” He runs into them and they go through and they’re all feeling awkward because they just got run into, everyone’s wet, everyone’s kind of like, “Oh my god, this is like… sorry.” And then they sort of just let him go through.”
Most hackers phish their victims to get a foothold; FC simply walks through the front door of their HQ. Once a typical hacker obtains their entrypoint into a system, they begin to escalate privileges. FC does the same thing. Kind of.
“[FC] in one case I was in a very large international bank in their headquarters [. . .] it’s a bank but not the sort of high street bank that you normally come across, right. This isn’t the sort of place you just walk into. This is this type of place which only deals with other banks. So they move money to other banks. That’s all they do, like massive, massive amounts of money.”
Banks are already pretty guarded places, and this wasn’t the kind of bank that takes visitors. That would, presumably, make it extra hard to get in. But, counterintuitively, it is precisely because the building was so closed off that it was so easy to navigate once inside.
“[FC] Oh that was actually a really great example of how when you’re within a company, right, so there’s an external perimeter of the fencing or whatever and then you get to the building’s perimeter, right? So it’s like layers of an onion. You get closer and closer. But as you get to that building perimeter, something strange happens once you get past it and that is everyone expects that everyone else has gone through that system, all right? So everyone else suddenly trusts everyone else around them.
And so they don’t sort of go, “Hmm. Hang on, what are you doing here? Why are you here?” They never question it. It’s because, well, I went through several layers of security to get here, so they must’ve done and someone else has done that checking. So I’m just going to implicitly assume that this person works here.”
Like a classic hacker, FC escalates–literally, going up to higher, more exclusive floors of the building–until he reaches the target he’s really been going after all along.
“[FC] And so in this particular instance, I had had trouble trying to find where the C-suite was and so I actually just went up to someone and ask them. And it turns out that she was like a fairly new PA to someone in the building that I was at. And she didn’t know me and I was like, “I need to get to the C-suite. Can you show me where it is?” and she told me where it was and I was like, “OK, right. Well, I try to remember that,” and she tried to be so much more helpful. She was like, “Look. Wait, I’ll just walk you over there.”
So she uses her ID card to go through a series of locked doors to get me up into the C-suite, even though she didn’t know that anyone would be up there. But she allowed me to get up into that place. She actually took me over there.”
Sometimes it’s the executive suite, where all the juicy stuff is, or the server room.
“[FC] I had it once where I stopped the security guard. And I said to him, “Look, I’m looking for the server room. Can you tell me where it is?” And rather than questioning me as to why I needed to get there, he said, “Oh, sure. I’ll take you down there.” And so he takes me all the way to the server room. And then I’m like, “OK, that’s cool.””
Now we have our foothold in the organization’s most critical areas. It’s time to find what we’ve been looking for: databases, CEO’s emails, official documents.
Here’s where FC can pivot a physical breach to a digital one. With access to the right machines, he creates a persistent access point. Like how a hacker, inside a network, might create a user account for themselves, or upload a web shell containing remote access malware.
“[FC] So once I could break in, plug in a laptop, do some stuff, I at some point will get caught if I stay there. All right? So what we do is we hide the device in another device, right. So say I’ll put a Raspberry Pi into a VoIP phone and then smuggle the VoIP phone and plug that in and then leave it so that I have a remote connection into their network. So that’s one way that we deal with the digital domain with physical, right, so using the physical access to get digital assets in and then get further access.”
If the target of the job is tangible–money, documents, machines–it’s about looking through drawers and cabinets, finding where the good stuff is hidden.
“[FC] it’s probably not very obvious to a lot of people if you don’t work in those types of environments how easy it is to go from a classified area to a non-classified area because they’re generally quite synonymous with each other and you can kind of accidentally move stuff between places if you’re not careful.”
You’d think it’d be really difficult to find highly sensitive material. But sometimes it’s just about distracting a secretary. On one occasion, FC broke into a high-level government building–the kind of building that houses lots of classified government secrets. And the really bad stuff? Those government secrets? They were basically waiting for him.
“[FC] If you work in this sort of environment, there will be little bins all around your floor where anything classified you just – and you want to destroy it, you don’t throw them in a normal rubbish. You throw it in these classified bins. And these bins get collected and then they get put together and then they get sent for incineration. All right? [. . .]
In the case of that particular building, the way it was laid out was kind of interesting. It wasn’t multiple floors, it was a single level floor and they only had access to one loading bay. So within the loading bay, they had one area that is designated secure and one area that is designated not secure which is very bizarre when you think about how these systems truly work.”
There were markers indicating where to load the trolleys with classified documents, but no physical mechanism separating these two areas, or any kind of protection for the more sensitive side.
“[FC] what at they had done was they had just moved these documents down on these trolleys, loaded them up and they were waiting for the incinerator truck to turn up, right. So some of these sites have incinerators on site which is great but some of them do have to wait for these either trucks to take them away or a mobile incinerator to turn up.
In the case of this site, it was a mobile incinerator that would turn up like it’s of weekly and then just burn everything and then go off again. So they were just literally, these trolley lined up on the side of the loading dock [. . .] And so I was like, OK, I wonder if I can fucking nick that? And so I managed to get this trolley out of the loading bay and into the public area of the car park.”
FC had just walked a trolley full of classified government documents out into a public parking lot.
“[FC] And I believe it’s – I think, unless someone is willing to show proof otherwise. I think this is probably the largest amount of physical classified data I ever stolen from a government facility.”
The breach has now been executed. Time to make our exit. To complete a digital hack is as easy as disconnecting, or unplugging. Not for FC. It’s counterintuitive, but…
“[FC] A lot of security systems in companies allow you to get in very easily. But getting out is a lot more difficult.”
Remember the bank that moves money for other banks? Being guided up to the executive office by that new PA?
Once FC got what he wanted from the executive’s suite, he could have exited back the way he came. But what if somebody who didn’t see him enter saw him exit? He was on a high floor, and would have to pass lots of people on the way back down. One of them might think “hey, that’s not somebody who belongs there.”
“[FC] And so I opened every single cupboard and door that I can to see [A] Is it locked? Does it lead anywhere interesting? And can I utilize it as an escape route if I need to run away from the security guards, which does happen quite a lot?”
While searching the suite he spotted a small, completely unassuming door. The kind of door where, if you stepped in for a meeting and then left, you wouldn’t have even registered in your brain.
“[FC] it wasn’t so much hidden in a bookshelf or anything like that. It was hidden in plain sight. It was just a very narrow doorway. It looked like a kind of janitor’s cupboard, like a place you’d put the mops and the brooms and stuff. So it wasn’t quite as wide as a normal door. It’s just slightly… yeah, so it’s slightly thinner but it didn’t look like anything. So it was just hidden in plain sight and people won’t pass these types of doors all the time.”
No signage or anything. It was the kind of door you simply wouldn’t think to open.
“[FC] and I opened it up and there was a secret spiral staircase hidden in this cupboard.”
An actual hidden staircase. In real life!
“[FC] And this was only known to the CEOs or the executives rather on that floor because it was a way in and out of the building that none of the other employees could see them so that they could come in, do their thing and then leave without anyone sort of really interfering with them. And I actually went down into a secret car park for their CEOs, there’s sort of – there’s a room for CEOs, the C-suite to move in and out of the building whenever they wanted to.”
Imagine going to those kinds of lengths just to not have to share an elevator, or a parking lot with your employees. After the job was through…
“[FC] I’m showing the client around who’s part of the security team, all right, that brought us in the C-suite, who don’t know about this. And so I’m showing him around and he’s like, “OK. Well, we’ll go up here.” I’m like, “Yeah. I got in here and I went to the car park.” And he’s like, “We don’t have a car park. What are you on about?” and I’m like, “No, you do, like from the staircase.” And he’s like, “What staircase?” I’m like, “You’re the security team and you don’t know about the staircase? This should definitely be on your radar.”
So I took him to the staircase and he was like, “Oh my god! No wonder we can never find them when we need them, like they just disappear out of the building and nobody seems to know where they are.” I’m like, “Yes, because they bugger off and go play golf or whatever it is they do,””
KEYS TO PHYS-SEC
Physical security is hard. There aren’t many people as practiced as FC is, but if one of them targets you, there’s very little you can do to stop them.
“[FC] I’ve got 100% success rate with this over the last like almost 30 years now.”
Ultimately, there are two keys to preventing physical breaches. The first is to be proactive, and think about the physical security of your facility before it becomes a problem. It’s the same rule as digital security: investing in some fancy software is useless unless you know how to really use it.
“[FC] people put in security measures into their building and they don’t understand how they work and so they actually make things worse, right? So let’s take a couple of examples.
So almost every building that I break in to and almost every building that you know some of your listeners will walk in to in the next year or two will have what’s known as a magnetic lock somewhere in them, right? So these little locks that just use a metal plate and electromagnet on the door. And when electricity runs through that magnetic system, it becomes a magnet and she keeps the door shut, all right?
Almost everyone is in these, they’re on almost every building and almost every single building will have one that’s installed incorrectly. And what I mean by incorrectly is the magnetic part will be exposed to where the attacker is coming from, so the outside. So if you’re installing it incorrectly, all I have to do as an attacker or a simulated attacker is either unbolt it or just cut the wires of the electricity and it therefore becomes no longer locked. It becomes an open door.
So people put these locks into place and they go, “Well, we’ve got extra security on these doors. We don’t have to like put in a camera or whatever, a guard or whatever near it.” So they think they’re putting something in that’s actually helping the security, but they actually make it worse.
Another example of this is… I’ve seen this now a couple of times. I’ve probably seen it maybe once or twice a year where someone will refurbish an office. And the carpet is too thick to allow the door to shut on its own. You have to like manually shut them, push them because the door hinge, the spring isn’t powerful enough to get across the drag of the carpet. So therefore, they’ve tried to do something nice but actually made security worse.”
The second key to physical security is even more important. The people who inhabit your building–the staff–need to be trained and attuned to the threats they might be leading right through the front door.
“[FC] I think you have to really differentiate between being a nice human being that wants to help everyone around them and help the company achieve the goals of whatever that company is trying to do and security. Security has to come first in a lot of cases and there’s nothing wrong with asking nicely like, “Who sent you? Why are you here? Who are you looking for? Can I help you achieve this thing? But we need to go through some security protocols before we do that.””
Even with perfectly-installed magnetic locks and sliding doors, camera systems and checkpoints, there’s still that new PA who’s going to walk the bad guy right up to the executive suite, or the security guard who points him to the server room. Or the person that got bumped into walking through the turnstile, but felt too awkward to say anything. Sometimes, the enemy of security is just being too nice.
Just a little skepticism might have helped that government organization when FC stole all their documents. Because, after escaping to the car park with all that sensitive data, FC realized something.
“[FC] I suddenly realized that I had removed all of this really genuinely classified information and put it into the public area of the car park where anyone could have taken it from me because, well, I don’t have many defenses, right? And now I suddenly start panicking, like oh my god, like if this gets stolen from me, now that I’ve stolen it, I’m in big trouble.”
He’d broken in, and gotten out. Now he had to go back in again.
“[FC] So I’ve got the [. . .] getting in to the loading bay and I’m going up the ramp and I’m on the non-secure side and I’m trying to take the document trolley to the secure side. Now at this point, there’s a guy who’s found his way back to the loading area. He’s now questioning me as to why I’m trying to put a non-classified document trolley into the classified side. And then he’s like, “Well, why are you doing that?” and then I’m like, “Actually, this is a classified thing. It shouldn’t be on this side.” And he’s like, “Oh my god. Like, how did it get to that side?” and I’m like, “I don’t know. I just noticed it there.” and he’s like, “Oh shit! We better get it over there then.” And I’m like, “OK. Well, as long as you don’t tell anyone. I won’t tell anyone.” And so he managed to help me get it back into the classified section and back where it should be. [. . .]
[Nate]: Wow. So you’re kind of like the reverse Ed Snowden at that.