A selection of true stories from our Pen Testers
“War stories”? Sounds a bit dramatic, but the life of a Pen Tester is spent on the frontline of an ongoing conflict between individuals and organisations, and an army of hackers seeking to scam or undermine them. And just as in any war, the ‘intelligence’ services play a huge role in protecting good people from bad outcomes; work that takes place mainly in the shadows.
At Reliance acsn, we have a team of experienced Pen Testers who work hard to stay ahead of the enemy. That takes ingenuity, grit, and a goodly amount of creative thinking. It could be called ‘creative suspicion.’ As one philosopher put it a century ago, “A suspicious person is the rival of him that deceives, both seem to practice a knowledge of cunning device, and equable sense of disingenuous merit.”
It takes a lot of cunning to penetrate the defences of any organisation. And a deep understanding of human frailties too. Technology can defend, but it’s human behaviour which often represents the weakest link. A good Pen Tester has to think like a hacker and an ordinary user, role playing the interactions which can lead to a breach or a successful defence.
Asking for trouble
“What I really enjoy is finding security issues and vulnerabilities that stand out from the norm,” says ‘Kabir’, “You know, the ones that don’t get highlighted by an automated vulnerability scanner but need an expert human – like me – to discover them.”
‘Kabir’ was checking a client’s Windows applications one afternoon, when he examined one which enabled the company’s employees to use a collaborative environment to get their work done together. “It was a pretty nifty application,” ‘Kabir’ stresses, but something made me dig into its code. I did it because when you have that kind of application which brings a lot of people together with potentially critical data and processes, there’s bound to be a hacker who wants to get in there too.”
And ‘Kabir’ was right. He found a flaw which enabled a hacker to deliver a malicious payload without being detected. “And it wasn’t a one-time thing, it meant that any hacker could keep delivering bad code into the system. All they would need is to mount a successful social engineering attack, get in, and then gain access to all the devices linked into the collaborative application. That could be a lot of devices!”
‘Kabir’ stresses that it was ‘all in a day’s work.’ And adds, “Just after I sent the report to the client, I was given another important task at home – sort out why SIMS 4 was slowing down a domestic device.”
Even the experts get into trouble
Even computer experts are vulnerable. ‘Abi’ was performing an external infrastructure test against around 200 IP addresses, all linked to a large organisation. She found a problematic web interface for a network device which, after a bit of digging turned out to be a firewall. Suspicions were aroused when default credentials and the usual username and password lists failed to allow access.
“Something was wrong,” says ‘Abi’. This was a lab which had several ESXi hosts, and I wondered if there was a vulnerability which could be exploited. So, I did some testing and it turned out that it was vulnerable to Shellshock, which had been discovered around a year or so earlier. Clearly, the system hadn’t been patched. That was strange because this was a lab. All live environments and development areas needed to be patched as quickly as possible. So, I knew I had to do something fast.”
She used Netcat (a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network) to discover that the SSH interfaces were vulnerable to attack. “I also found that the passwords they were using were easy to guess because they were all based on Leet speak (using symbols for letters etc.) and therefore not very secure.”
‘Abi’ adds, “Lucky for the client, the lab wasn’t being used, but the ease with which I got in, guessed the passwords, and got into devices meant that if it had been – running web applications and databases and so on – I could have syphoned off a lot of sensitive information and wrecked projects or delivered Ransomware. Whatever – it would have been bad!”
Walking into trouble
Pen Testers don’t spend all their time in front of a screen. They’re often asked to walk the talk too. That is, try and just walk into a client’s office to see what happens. “One of the biggest threats to security is, well, a lack of security at the front door and reception,” says ‘Lloyd’ who managed to take advantage of the fact that most people worked from home during the pandemic.
“All the focus was on the cyber security aspects of people suddenly having to do the majority of their work at home,” he adds, “And that posed very real security concerns, but the lack of people in offices – many of which remained operational – also posed dangers.” ‘Lloyd’ turned up at a large HQ in the centre of a city and took advantage of an undermanned reception desk to get around the frontline security.
“Social distancing measures had been put in place all over the offices,” he explains, “And that meant desks were either deliberately left empty or spread further apart. There were far fewer people around, and the social distancing imperative meant they were less likely to challenge someone they didn’t know. That was an opportunity for me to get into offices and rummage through unlocked cupboards. I managed to find files and other documents which I happily took photographs of, and then waltzed out, again without being challenged.” ‘Lloyd’ stressed that he could also have inserted flash drives into computers to steal digital data if he’d really wanted to.
“Penetration testing isn’t just about online security, it’s about physical security too,” says ‘Lloyd’. “Which is why that’s an important aspect of the job, as well as using a computer.”
His colleague, “Carla’, describes a project which combined both physical pen testing with attempts to gain access via an organisation’s online domain. “I got access by using social distancing as a clever way to tailgate into a building without being challenged. Worked a treat. Once inside, I quickly managed to get administrative credentials using Responder. Simple. Done in seconds.
“Then I spent my time happily snapping pics of anything that looked sensitive. Got quite a lot of great stuff. Most of it was way too sensitive for a newbie like me to even know about, let alone copy.
“Would I be able to do the same thing on day two? That was the next part of the test. I went back, got in, but this time I did get challenged. I made an excuse which bought me some more time. Roamed around a bit more but was then challenged a second time. The guy was very suspicious and when my excuses proved to be too lame, he threatened to call the police. I phoned the client and revealed the pen test. Then we got down to seriously reviewing what went wrong.”
Looking for trouble is, it turns out, a great career.
If you’d like to know how our Pen Testers can look for trouble within your organisation – talk to us. Once we’re working for you, you’ll get to engage with the real testers behind the fake names.
What makes our Pen Testers different?
Complete security cannot be achieved through an entirely automated process. It requires a team that has the knowledge of every technical aspect of cyber security and an understanding of how people behave in real life. It is these skills, along with their ingenuity, that sets our Pen Testers apart from our competitors.
Talking to you directly, with no account manager in between, our team can tailor services to your specific needs and work together or individually to help boost your defences. Working as a team, our Pen Testers can prepare for every eventuality, providing a strong and rigorous pen testing service and achieving results quickly and efficiently.
Contact us to find out more about our penetration testing services.