Sandbox To Fieldcraft: Ditching The Simulation

collage-2017-11-18

Playing In The Sandbox Is For Kids

[excerpt definition from Wikipedia]

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.[1] A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.

In the sense of providing a highly controlled environment, sandboxes may be seen as a specific example of virtualization. Sandboxing is frequently used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device.[2]

All hackery aside, let’s take a step back and look at this in legitimate focus. The sandbox is a place designated for childplay. There is a spot on the playground, usually where the swings and other hardware are located where a pit is dug out and filled with sand on which the children play. The sand not only provides a medium with which the children can build the castles they envision, but a soft ground from which the blunt trauma of falling from a height may affect. I know this, because as a youngster I was a daredevil and jumping from a swing set led to a slight fracture of my radius. Thankfully, for the sand, I did not have to experience any worse of a consequence from my intrepid and frankly stupid maneuvers.

The same children playing in the sandbox are the ones whom grow up to perchance die on the beaches of theatre. I agree that this is an extremely stark comparison, with some grim consequencese for casual ignorance. Perhaps, conceptually, the idea of swords to ploughshares may be a goal to keep in mind, however the fallacy of importing only butter and no steel may spell the doom of an enterprise, or generation. There is not better time to take the kids out of the sandbox and drop them onto the beaches of conflict than right now. That’s because learning in a simulated environment is akin to handicapping the process by which we operate during mission critical scenarios.

Translated For Security Measures

Briq Haus Ltd. Security & Intelligence operatives are fully versed and trained in both aspects of security operations; sandbox and fieldcraft. While the benefit of practice in a secluded environment separate from the harsh realities of consequence and effect may be evident in reports and documents, it is a rare thing that during real-time security exercises and operations that enough streaming data is retained for the intention of creating some slide-show or powerpoint presentation. In the real world, there are ongoing causal relationships between the interplay of hostile foreign intelligences and mission-specific imperatives. The continuing dynamic and morphic environment of the field require out-of-the-box thinking, not delusional but rather unconventional.

Between the combined expertise of our information technology and intelligence community professionals, Briq Haus Ltd. not only boasts the boardroom banter to deliver effective presentation and slideshows as per sandbox experimentation dictates, but we have tried-and-true tested in the trenches fieldcraft experience in being exposed to the evolving risk dynamic and threat platform wielded by hostile foreign intelligences co-operating within the framework of real-world, non-simulated ongoing security operations. Being increasingly tested above and beyond the imagined or preset boundaries of a security experiment within a sandbox environment forces the experts on my team to constantly and consistently demonstrate proof-of-work mastery of security implementation and product deployment in the professional corporate theatre. We are not corporate goons, nor are we classroom geeks, we are ex-military and intelligence professionals with backgrounds ranging from digital to physical warfare, and with experience in advanced security environments actualizing each domain of the security spectrum; physical, logistical, analytical, and digital.

Professional Security Assurance

By consigning your security requirements to the oversight and analysis of the Briq Haus Ltd. team, you are ensuring that the utmost precision and dedication is applied to discovering, identifying, and patching any and all vulnerabilities in your business or other operation. The Briq Haus Ltd. “Perfect Security Suite” is your one step solution to have all your concerns handled and put to ease by our experts in these and all related regards. We are not discouraged or daunted by any of the present dangers lurking among the faceless corporate mass. We know that any single entity may wear the mask of friend, and turn out to be a formidable adversary or inside threat.

Briq Haus Ltd. Security & Intelligence is not limited by our challenges; but rather, we challenge all limits. Contract with us today, and rest at ease that your security concerns are in the hands of serious and capable operators. Thank you for considering us.

 

Advertisements

FOOTHILLS FASHION MALL UNREQUESTED REDTEAM SECURITY ANALYSIS by Briq|Haus Ltd.

Purpose & Intent

BRIQ | HAUS LTD. SECURITY & INTELLIGENCE intends to interface and contract with other professionals and services to create customized logistical and analytical solutions for our clients while developing innovation at a physical headquarters.

This is the mission statement of my company, whose design is security-centric with the purpose of providing private sector security analysis on contractual basis. On October 10th, 2017, the owner/operator, myself, Robert Brooks Authement, went to the mall to try out the new city gym. In approaching the mall I was astounded at the countless abundance of security vulnerabilities I witnessed, so I pulled out my camera and began with great intentions a meager and cursory security analysis of the structure, personnel, and network integration present.

As a disclaimer, I am a rather unconventional thinker, which may be viewed from the narrow concept that would label such perspective a danger, or from the considerate standpoint that perhaps unconventional methodology such as I present here may in fact be an advantageous asset with which to ally oneself and one’s company.

Entry Into Building

I was chagrined to have entered the complex on foot from the south, coming up from Horsetooth road passing between the construction area near the sleep store to the west, and the facade of the Marriot Hotel to the east. As I entered the complex on foot, my path took me directly to an abutment and not a single sign nor portal within the mall could be located. I found this to be incredibly poor design, as I should have been met with an entrance to at least some retail business and perhaps signs with advertisements. Check 1; poor user experience based on un-mindful design.

I walked around the exterior of the building, and lo and behold, the first and only way inside I found was a backdoor which was PROPPED OPEN. Surely this was an “employee only” portal, but a gentleman within pointed through the hallway to how I may actually reach the mall, and my destination, the new city gym.

Further Exploration

I made it through my workout and put on my secret normal person costume. Here I perform a couple of feats of social engineering to be enjoyed by you and your affiliates. What am I doing? I’m demonstrating the effortless ease with which I can interpenetrate the supposed ‘boundaries’ of the establishment and even seamlessly bypass the scrutiny of onsite employees. Later I will demonstrate major defunct operability of the mall security team.

What Security???

Advantage Security Inc. was the chosen contractor to protect the people and assets of this multi-business establishment. Surely bigger does not mean better, as this under-equipped but highly versatile security analyst will demonstrate. My initial contact with security was brief and on the up and up, but what followed was demonstrably laughable in the confusion that ensued. Check 2; poor choice and lack of training/oversight for so-called ‘security staff.’

The Byzantine Attack, Bust, and Near-Meltdown

Your team will kindly forgive my resulting to use the vernacular during this video. I was followed outside by the security staff whom had taken to their neat-o rent-a-cop-mobiles. Despite walking away on friendly terms and having literally explained my intention and purpose for being there in clear and concise language, the team decided that since there was absolutely nothing to do, that I must be the lowest hanging fruit and therefore a legitimate threat. I entered the building at another side and then the team had positioned themselves in the center where I approached.

I pulled out my phone and told Blueteam Leader Captain Andrew, “Check this out.” With a $30 phone purchased off eBay I performed in less than 60 seconds time an effective cybersecurity audit of the pubic wifi network. Without going into the boring details of how I did that, the story continues by Andrew informing me that I would have to leave for the day because I was not “allowed to do ‘that’ or record at the mall.” Not allowed to record at the mall??? Oh I think he meant that I would not be allowed to record their lackadaisical and in my humble opinion totally insufficient security protocols and behavior. I acquiesced to the demand, but I put the personnel to a stress test by escalating the situation with language. No harm, no foul, they did perform professionally under the stress however my main analysis is that their aim was wrongfully directed at me as a danger.

I feel I should have been brought in and interviewed regarding my tradecraft and security expertise, however their behavior was key in encouraging me to follow through with due diligence and present my case to your team.

And as a disclaimer, my adrenaline was up from the quasi-confrontation so you will kindly allow for the little f-bomb I drop in here. This is what I mean by unconventional. Effective; but unconventional.

Last But Not Least. . .

One more little accident waiting to happen here.

Conclusive Analysis

Bigger is not always better! I remember the previous incarnation of our lovely town mall, and the present structure reminds me so much of a jail. Surely it was built to “trap” the tourists between the retail and restaurants/entertainment venues like some sort of citadel. Clearly the design was made by person’s whose main attention is to profitability and raising the bottom line. From the standpoint of this plucky and intrepid security analyst, wealth without security is only a target.

Check 3; total assessment = vulnerable. This facility is open season for petty thieves, grand larceny, social engineering and confidence schemes, network infiltration and identity theft, and would-be attackers with malicious intent. From my standpoint the Fort Collins Foothills Fashion Mall totally fails the BRIQ | HAUS LTD. SECURITY & INTELLIGENCE unrequested redteam security audit. Judging from my insider sources of DC employers, a great deal of people coming to Fort Collins for its charm and quiet appeal are either members of the United States Intelligence Community or War Veterans and Ex-Military or Government personnel. These people are extremely security conscious, and will see the flaws present in the design and systems integration of the mall. They may not pay much heed to the thought, but subconsciously, they will know that it is not a safe place.

The infrastructural vulnerabilities and risk exposure are just too numerous to count. Take a walk with me and I’ll show you, for a small consultation fee.

The network vulnerability is typical of public networks, however an astute system administrator can patch these vulnerabilities and make them go away.

With the 2017 holiday season incoming it is highly advisable to protect not only your property and investment, but the families of customers who go to the mall hoping for a peaceful and safe shopping experience. Thank you for reading my report, I can be reached at the following e-mail:

mailto:briqhausltd@gmail.com

Respectfully submitted this 10th day of October, 2017,

Sir Robert Brooks Authement; Owner/Operator

BRIQ | HAUS LTD. SECURITY & INTELLIGENCE