Reminds me of an old “hidden camera” stunt. A set of people dressed in work clothes enter a furniture shop, and start taking down and carting out a living room. Then they come back and take a bedroom and a kitchen, too. Asked by the staff, the “boss” of the crew (the guy with the clipboard) just replied that they were doing what they were told to. Staff even helped them by holding the door open when they moved stuff out.
Clipboard and a collar are all you need to get anywhere and do almost anything. Just act like you belong there and are annoyed that people are in the way of your *activity
Go to any pharmacy or dollar store, go to the food section with a cart and a clipboard. Take random stuff off the shelf turn it around, scribble nonsense on the clipboard and then just leave with whatever. No one will ask what your doing, and if they do just say “I am the inspector mate” and you will be home before they even realized what happened. Not condoning, just saying.
So there is a type of cybersecurity job known as a ‘red teamer’. It is a special branch of offensive security, and differs from the likes of a penetration tester in that they fully act like blackhats as much as is possible without actually doing intentional damage.
That means, you plan an attack, you plot a way in and you reach a given objective. How you do so is up to you; you are not limited to digital attacks just as real attackers wouldn’t be. You can rock up to site in disguise and walk your way in if you so feel that’s the best route. Tailgating, lying to people, cloning ID cards, or have a friend joyride on an escooter to provide a distraction while you hop a fence, it’s all fair game.
The only things you aren’t allowed to do is pretend to be a boss and threaten to have someone fired (or other shit that could cause mental harm) or intentional physical damage to property (eg: lockpicking is fine even if you accidentally fuck up the lock. Wire cutting generally isn’t)
The assignments where we rocked up on site were my favourites. It was always a rush slipping by people and hoping I didn’t arouse suspicion.
These things take months to plan though, so we pick high value targets owned by the business employing us. The person in charge of that facility will be notified that something is about happen but not crucial details that can throw the test, such as when it will happen. I can’t go into details about the targets I’ve hit (red team NDAs make regular NDAs look like Donald Trump’s attitude to confidential information by comparison) but they’re the kind state sponsored attacker’s and organised crime outfits would typically hit.
Reminds me of an old “hidden camera” stunt. A set of people dressed in work clothes enter a furniture shop, and start taking down and carting out a living room. Then they come back and take a bedroom and a kitchen, too. Asked by the staff, the “boss” of the crew (the guy with the clipboard) just replied that they were doing what they were told to. Staff even helped them by holding the door open when they moved stuff out.
Oh yeah. A hi-vis jacket and appropriate accessories can get you almost anywhere
Clipboard and a collar are all you need to get anywhere and do almost anything. Just act like you belong there and are annoyed that people are in the way of your *activity
Go to any pharmacy or dollar store, go to the food section with a cart and a clipboard. Take random stuff off the shelf turn it around, scribble nonsense on the clipboard and then just leave with whatever. No one will ask what your doing, and if they do just say “I am the inspector mate” and you will be home before they even realized what happened. Not condoning, just saying.
Ahh this takes me back. My previous line of work had me pulling exactly this kind of shit, except I was getting into higher value targets.
You can’t just say that and leave come on
So there is a type of cybersecurity job known as a ‘red teamer’. It is a special branch of offensive security, and differs from the likes of a penetration tester in that they fully act like blackhats as much as is possible without actually doing intentional damage.
That means, you plan an attack, you plot a way in and you reach a given objective. How you do so is up to you; you are not limited to digital attacks just as real attackers wouldn’t be. You can rock up to site in disguise and walk your way in if you so feel that’s the best route. Tailgating, lying to people, cloning ID cards, or have a friend joyride on an escooter to provide a distraction while you hop a fence, it’s all fair game.
The only things you aren’t allowed to do is pretend to be a boss and threaten to have someone fired (or other shit that could cause mental harm) or intentional physical damage to property (eg: lockpicking is fine even if you accidentally fuck up the lock. Wire cutting generally isn’t)
The assignments where we rocked up on site were my favourites. It was always a rush slipping by people and hoping I didn’t arouse suspicion.
These things take months to plan though, so we pick high value targets owned by the business employing us. The person in charge of that facility will be notified that something is about happen but not crucial details that can throw the test, such as when it will happen. I can’t go into details about the targets I’ve hit (red team NDAs make regular NDAs look like Donald Trump’s attitude to confidential information by comparison) but they’re the kind state sponsored attacker’s and organised crime outfits would typically hit.
Love it
It was an amazing job. Pays well too. Easily in the 6 figures if you’re in America (although that comes with additional risks…)
I’ve seen this in a documentary before…
Here is an alternative Piped link(s):
I’ve seen this in a documentary before…
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.