Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/14/2009
01:18 PM
50%
50%

Hacking A Board Meeting

A client recently asked us to gain access to its facility and attend a meeting of the board and executive management. Here at Secure Network we've been asked to gain access to numerous networks via social engineering techniques, but this job seemed rather unachievable at first. Turns out it was easier than we expected.

A client recently asked us to gain access to its facility and attend a meeting of the board and executive management. Here at Secure Network we've been asked to gain access to numerous networks via social engineering techniques, but this job seemed rather unachievable at first. Turns out it was easier than we expected.The client indicated a concern for data loss prevention -- it has protective measures in place for data leaving the network or being taken from a stolen laptop. But concerns about corporate espionage and intellectual threat occur at all levels, and our client thought it should start top-down. It gave us a five-day window for doing the job, and the rules of engagement required us to gain the intelligence needed attend the board meeting. If successful, we were asked to record the meeting and then escape undetected.

We prepared for the effort by performing some simple reconnaissance. The client's office was located in a 30-story office building where it occupies five of the floors. The lobby was secured with a guard desk, and visitors were required to sign in and then wave a proximity card for elevator access.

We had to find a way to get details on when the meeting was being held without arousing suspicion. While checking out the perimeter of the building, we noticed a large limousine parked in front of the building. I approached the limo driver and pretended to be an office worker at our client's company. While making conversation with him, he indicated the hotel he was going to, hired for transporting executives for our client's company. I had now confirmed where the execs were staying, but, more important, a way to determine when to follow them into the building. During the recon of the building, we located the designated smoking area. While having a cigarette with one of the employees, I was able to derive the floor of the meeting room.

My partner and I made arrangements to stay at the same hotel our executives were staying. When checking in, we represented ourselves as employees of our client. We took advantage of the corporate rate, but, more important, we were considered employees. Creating some friendly conversation with our desk clerk, we asked if some of our colleagues had checked in so we could call them to have drink in the bar. After mentioning a few names, our desk clerk asked us if we just wanted a list of who was staying from our company. To our disbelief, she handed over a list of names. Although no room numbers were included, the list was more than I expected.

I stationed myself in the hotel lobby waiting for our limo driver to return our executives for the evening. When they arrived, one of the people in the car spoke to the bell captain. Later that evening, I struck up a conversation with him and found our client would be departing the next day at 8:30 a.m. The following day, I positioned myself at a coffee shop across from our client's building. When the limo arrived, I made my way toward the building. To circumvent the proximity card system, I tailgated the entourage of executives and then rode the elevators to the floor they were on. I then located an area to sit without raising any suspicion, started my laptop, and proceeded to the break area to get a cup of coffee.

As I traveled through the office floor, I found a sitting area that was located next to the executives' meeting room. Incredibly, the sitting room was enclosed in glass and had full view of the meeting. I obtained a newspaper and some manila folders, and created the appearance of working. I removed my coat and positioned it so the button camera could video the presentation. After 45 minutes of filming, my objective was complete. Corporate slides of projected earnings, strategies, shortcomings, and a variety of other sensitive pieces of information were captured. My departure from the building was as easy as when I entered, carrying data that could potentially prove harmful to the company if in the wrong hands.

Within two days, a collection of seemingly disparate, innocuous pieces of information easily allowed the breach of this company's perimeter and the "loss" of corporate information.

Data loss prevention technologies are quickly evolving and becoming the hot topic of discussion for information technology departments. Our test clearly proved that technology itself is not a remedy. The ability to safeguard the numerous formats of data will continue to be a challenge for all organizations. Leveraging numerous technologies, educating employees, and hardening physical controls will all continue to play an important role for years to come.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc. Steve serves as president of Secure Network, focusing on penetration testing, information security risk assessments, incident response and digital investigations. Steve has worked in the field of information security since 1997. As a part of that experience, Steve is an ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5162
PUBLISHED: 2020-02-25
An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as t...
CVE-2019-5165
PUBLISHED: 2020-02-25
An exploitable authentication bypass vulnerability exists in the hostname processing of the Moxa AWK-3131A firmware version 1.13. A specially configured device hostname can cause the device to interpret select remote traffic as local traffic, resulting in a bypass of web authentication. An attacker ...
CVE-2020-9383
PUBLISHED: 2020-02-25
An issue was discovered in the Linux kernel through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.
CVE-2019-5136
PUBLISHED: 2020-02-25
An exploitable privilege escalation vulnerability exists in the iw_console functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands ...
CVE-2019-5137
PUBLISHED: 2020-02-25
The usage of hard-coded cryptographic keys within the ServiceAgent binary allows for the decryption of captured traffic across the network from or to the Moxa AWK-3131A firmware version 1.13.