December 18, 2019

I’ve been enjoying two after-work activities that have collided into this blog post. One is listening to the podcast DarkNet Diaries, and the other is playing pickup basketball. Bear with me for a moment, as said “collision” will take a little bit to explain.

DarkNet Diaries Highlights

If there is one new podcast you should take up in 2020, check out DarkNet Diaries. A veritable “Get to Know a Hack” podcast running for just over two years, DarkNet Diaries uses 20-60 mins to break down different hacks each week. Each episode is “self-contained,” meaning you can jump in and out, and listen to episodes in any order. Some analyze well-publicized breaches, such as the StuxNet or the IRS breach, while others unearth hidden gems with often “scoop” worthy details that come to DarkNet first (such as U.S. military cyberoperations against ISIS). They are super easy to follow, are great to listen to while commuting, and are well balanced at exploring technical content while presupposing very limited expectations for what the audience knows in the techspeak and overladen acronyms of cybersecurity.

Listening to the techniques, approaches, considerations, and steps hackers take to penetrate buildings, systems, networks, and cultures has been an eye-opening and thoughtful exercise for me. While these concepts would be bleedingly obvious to any Red Team (hired sponsored attackers of military or enterprise IT systems), I’ve learned a lot about how persistent, devious, thoughtful, patient, creative, and wide-ranging attacks can run. From the pedestrian such as Piggybacking to the more sophisticated RFID duplication outline in Episode 41, or the head-slapping human failures (such as Episode 3’s breakdown of the Digitnotar Certificate Authority hack that started from an admin leaving their mandatory smartcard authentication permanently behind on-purpose so they could access that machine over the weekend), you gain an appreciation and more visceral understanding of threat vectors.

And if you listen long enough, you may also start to think like a hacker. Which comes to my collision…

Pickup Basketball Highlights:

Living in California means that you can play pickup basketball easily and frequently across public and corporate basketball courts. And I happen to work near the campus of one of the largest cybersecurity technology providers on the planet. Said firm has three outdoor basketball courts, and good pick-up games on one of those courts during lunchtime and after work. I can’t recall when or how I started playing there, but I simply showed up, and no one asked any questions, so I’ve been playing b-ball there the last few years.

Every day, there is a good assortment of players, some of whom, I’ve come to learn, are PhD researchers in the advanced threat research division of the firm. And each afternoon, we show up, put down our phones and badges, and form on-the-fly teams. Players come and go, but the badges and phones essentially stay on the ground the whole time (see below).

Collisions

(Names de-identified to protect the innocent)

Now think about what this photo actually means, hacker-wise.

  1. I am on the campus one of the world’s most important cybersecurity providers, whose code and products protect governments, the largest public cloud companies, the largest mobile and internet and Fortune 10 companies, and billions of end users worldwide. I get to freely walk on and off their campus every day.
  2. It would be “trivial” to take ANYONE’s phone and badge. I could take it and keep it, or take it “by accident” and return it thirty minutes later.
  3. More powerfully, as documented in Episode 42, I could simply utilize a knapsack with RFID badge reading/skimming technology inside, and gain permanent access to all ~18 or so badges that show up on the court.
  4. Once cloned, I know have the badges of not just the folks with “standard access” in the campus, but presumably, the advanced research labs that would likely have “secondary” badge access to the most protected floors/buildings in the campus.
  5. The badge is a powerful asset, which in and of itself opens up building access, floor access, weekend access, and potentially network access (Can we say Dropbox anyone?)

That’s just what the badge gets me. Think about what the badge AND the phone could mean. I’ve seen users check their phones, and put them down open and unlocked. An unlocked iPhone and a badge now means some huge potential havoc:

  1. Keep that phone active and it will remain open and present text messages in the clear.
  2. With their username printed on the badge, I could open their email and determine that player’s cube location (via directory services in email app for example). I could literally walk to their very machine in the corporate campus.
  3. Keep that phone active and I could also use it as a single factor to reset passwords. Now I could go to that same laptop, and without knowing their password, force change-password routines that would likely verify ME with codes sent to THEIR open phones.
  4. And so on…

A picture is worth a thousand hacks. Or at least, hundreds of entry ways into one of the more important campuses in the world, with presumably, some of the tightest and most arduous security controls.

Conclusions

Security is tough. It’s not immediately clear to me what said cybersecurity firm could do differently. But I will concede that at a minimum, I’d have to physically be present, onsite, to achieve this. I have put some additional thoughts into reducing some of these attack vectors…

  • The company could try to enforce employee-only participation, such as placing the court behind fencing and badge-access. However, I suspect that I could piggyback through with enough tries.
  • The badges could remove their users’ names. It’s not clear to me why their corporate username is printed on them. This may be a trend of “friendliness” borrowed from the likes of Facebook or Apple, but linked access to usernames on the badge may provide more information than needed.
  • They could upgrade from RFID to more costly badge technologies such as biometric or FIDO. That one doesn’t seem practical when we’re on the scale of thousands of employees.
  • Reconsider change-password routines, perhaps by also asking secret questions. I am not sure my change-password attacks would work as described, however, it does show that a corporate user on a corporate network with a corporate machine + smartphone may not be the barrier you thought it was.

At the end of the day, this is yet another example of humans and how by their nature (leaving smartcards inside machines, or badges on the bball court, can often represent the biggest weakness in the organization. … Which, I guess ultimately makes this blog an advertisement for Zero Trust.

Keep those badges in your pockets, ballers.