Date:11 August 2014
New Yorkers are suspicious about many things, yet weirdly naïve about others. Take digital security, heading off to work each morning, coffee in hand, their thoughts are focused on the minutiae of work, play or relationships. At the office, employee badges and two-step e-mail verification grant them access for the day. Internal documents are shared across a Wi-Fi network protected by long, complex passwords. At work, they are safe. They step outside for lunch or coffee, or a midday stroll. Then they become targets. By Kenneth Rosen
On a balmy spring afternoon, Ian Amit stands at a counter in a Starbucks in midtown Manhattan. As customers check Facebook, Twitter and Gmail through the free and open AT&T internet, Amit monitors it all. One key-stroke could activate a script that would capture all of the information passing through the network. He could, but he refrains. It is not ethical, and in his words, “less legal”.
As the director of the security services for IO Active, a firm that offers comprehensive computer security services, Amit is a problem solver. Today’s demonstration at the Starbucks is a look at open source intelligence, or OSINT, and how the trail of data left by the most innocuous of tasks carried out on smartphones map out day-to-day activities that coalesce into a vivid portrait of everyone’s lives. As a corporate security specialist, it makes for an easy day at work.
“Don’t check your e-mail,” he says, plugging an external wireless antenna into his laptop. He shields the antenna in his black backpack on the ground. To anyone watching, it looks as if he’s charging his phone and connecting to an external device, as his penetrations and security tools boot onscreen in small command windows.
“It’s not about the tool. The tool is irrelevant,” he says once code begins streaming across the screen like something out of the 1995 film, Hackers. “The data is already out there.”
But the coffee shop is child’s play compared to his real work – the clandestine operations known as red “teaming”. A red team is a group of security specialists, usually with military experience, that functions without much regulation in the private intelligence sector. They challenge organisations to improve effectiveness in security by, among other things, breaking into system to expose vulnerabilities.
While the technique is rooted in military operations, it is frequently used in real world and civilian operations, some of which happen every day, right before our eyes. Although he has the power to steal a Starbucks customers identity while they’re waiting for their latte, Amit is one of the security professionals whose life’s work is keeping data safe.
Yes, but it’s not real security
As he explains is, most of what we see as security – the two-step passwords, the ID cards – is the idea of security, not security itself. In that way, security efforts rarely focus on the one or two outliers. Rather, they chose to manifest as long lines and security checkpoints, providing a sense of security through large signs and heavily armed guards. “Security theatre”, as it’s called in the business: the TSA agents and Paul Blart mall cops (for those who missed, this refers to a mildly amusing movie) of the world. Red teams, on the other hand, are practitioners in the art of security, attacking from every direction, beyond the metal detectors and security patrols, until they expose weaknesses and propose fixes to fortify them.
Members of these team are often former military personal and are considered, in hacking terminology, “penetration testers”. Amit oversees about a dozen employees, although he contracts out work for different red team operations.
IT companies such as IBM and SAIC, as well as a litany of federal agencies, all use teams like this – sometimes referred to as “tiger teams” – to reverse-engineer security processes and business operations in order to spot weaknesses that would uncover gaps in security.
These engagements can cost anywhere from tens of thousands of dollars to upward of six figures. According to Amit, few know when a team like his is on the job. Maybe or two of the higher-ups within a company, fearing a major loss, be it through malicious digital attack or physical breakin-in, know of a red team’s intentions. But even they don’t know when to expect them.
The particular skill sets needed for any red team operation vary on a project-by-project basis. Amit garnered valuable experience – analytical thinking and reasoning paired with observational techniques that go beyond the passive observer – through his time in the armed forces. He grew up in Tel Aviv, tinkering with computers and gadgets – taking apart televisions, as he puts, to find the little green man inside – before spending four years in the Israeli Defence Forces.
In the IDF, he was a tank driver, air force cadet and tank company commander. Once he left, in 1998, there were newer and faster computers to work with that far surpassed the tinkering he managed as a boy. The personal computer had evolved into the Intel XT 8086 and 8088.
Everything moved at a faster pace.
“One of the big tipping points for me was the catch-up after four years of not touching computers almost at all. It’s like a decade of computer innovation to catch up with,” he says. “ That translated into understanding systems from the inside. Which then translated into a civilian occupation. You can consult, you can help people break it so that other people can understand the problem to fix it.”
In the past, red teaming has been featured on television shows. In one episode of Tiger Team, the team’s target was a Lamborghini dealership. Hired by the owner to go up against a newly installed high-tech security system, their mission was simple: gain access to the showroom and drive the brightest car out the front door. Simple.
Missing: one bright yellow Lamborghini
The episode of Tiger Team began with surveillance and casing of the area to learn about what perimeter security assets were in place – infrared cameras, gates, automatic locks, motion sensors. From there, after dumpster diving and recovering discarded letters from the dealership’s security company, a member of the team, disguised as a security company employee, scheduled an appointment to update their internal systems.
Dealership employees unknowingly allowed unverified, unfettered access to the computers and systems in the back office. Having unrestricted access to security feeds and automated locks, the job went unnoticed until the next morning, when the owner came to open up. A bright yellow Lamborghini was missing from the showroom floor.
These operations team members carry their own get-out-of-jail-free cards, indemnification letters that the clients need to sign in order to engage with anything that goes beyond the more “traditional” penetration testing.
Though that is just one example of an exciting, hands-on operation, much of red teaming revolves around the intangible.
Due to non-disclosure agreements, following Amit on an operation wasn’t possible, but he offered insight into malicious software hacking and other digital attacks we might otherwise never see, both on the national and private scale.
“My observation starts with: what is your business about?” Amit says, standing by his laptop, the screen a mix of scrolling white and green text. “What would pain you the most? The teams I assemble would have those kind of skill sets.”
He’s well supplied to observe and execute operations – physical or digital – at any moment. His black vinyl LA Police Gear tactical backpack holds a litany of tools used in the field, including:
* Black mylar balloons used to slip under doors. Once inflated, they rise to unlock motion detectors and other infrared sensors.
* A pre-configured Raspberry Pi mini-computer. These credit card-sized computers are inexpensive and available to any DIY enthusiast. In this particular usage, they are deployed for passive data collection and retrieved at a later time.
* Extended Wi-Fi antennas.
* USB endoscope.
* Lift keys for all major brands.
* Putty clamp for making copies of keys.
* GPS tracker used for tailing targets.
* A Software-designed radio.
* Shove knife for lock picking, a lock pick set with pick gun.
* A file for shaving down blank keys.
* Various wires and connectors.
* Black glasses (no explanation necessary).
“It’s purely counterintelligence, giving up a rook or a pawn just to see how the game plays out,” he says, shuffling through the bag before placing it back on the floor. “Otherwise, you’re just a technician patching holes.”
Of coffee and vulnerability
Think again when you’re checking your balance at a coffee shop. As you’re looking through past purchases, cursing your low balance, your phone is pinging all available Wi-Fi connections, trying to gain access. Then it pings the one connected to Amit’s computer.
“Everyone’s vulnerable. Running a business is just practising risk management,” Amit says, “and we want to practise this better.”
When assessing why someone would attack a given platform, a red team first looks for what they call “threat communities”. In the case of bank accounts accessed at a coffee shop, it could be other banks trying to gain a competitive edge by scouring the name of its competitor, or the infamous hacking collective Anonymous simply looking to make headlines, or possibly a bank employee who wishes his paycheck were larger.
“Then we narrow it down to threat actors,” Amit says. “We get hired to look at this and say, ‘how would you attack this?’ It’s a little easier to gauge the system from both sides; the defender and the attacker. I play both.”
If a mobile banking app can share money through a quick tap between two phones, the team might look at what would happen if a user gave someone else negative R50. Would they then take the money rather than receive an error? What if you sent someone “ABC” as the amount? Would it go through as a transaction? This is stuff that should have already been addressed by the software developers, but as Amit says, “should have is a key word”.
“I’m just here to be the mirror,” Amit says of his and his team’s role in similar operations. “It’s important to experience that for real.”
“If we would live in a perfect world, security would have been embedded in the process from the get-go,” Amit says outside the Starbucks and notes security flaws at every turn – door locks, alarm systems and more – all of them merely inefficient theft deterrents.
Then again, “If everything was perfect I’d be surfing in Hawaii. I wouldn’t have a job.”
Reproduced with the kind permission of Narratively (narrative.ly), an online repository of good writing devoted to “untold human stories”.