Hacking Is Problem Solving

WIN_20180108_13_09_44_Pro

People are always asking me “How do I hack?” That’s not an easy question to answer. It becomes a matter of learning. The question then becomes “How do I learn?” Now that is something that can be answered quite easily. Learning comes from an inbound curiosity and dedication to solving problems. A hacker is a problem solver, someone who will find a way around any obstacles to secure a resolution. Take for example my recent foray into lockpicking:

It only took one minute to rake the Masterlock padlock open with my inexpensive toolkit purchased from eBay. But this other one, an ancient and obsolete warded padlock posed a problem beyond my skill level and capabilities. I was officially stuck.

Nevertheless in this proof-of-work demonstrative photograph, you can see that the lock has in fact been opened. As a hacker, I had to solve my problem despite being personally incapable of doing so for myself. What did I do?

I went out for a jog on Monday, after sitting and contemplating all day Sun-Day, and made it down to Don’s Keyway in Fort Collins, my local neighborhood locksmith. I did not have to pay a dime to have the gentleman working there assist me with my problem, I just utilized some simple HUMINT skills to genuinely express interest in the craft and inquire why I had been stumped.

RESULT: Not only did I succeed in solving the original problem of opening the old lock, but I met a professional locksmith who was kind enough to answer questions which explained to me what I had been doing incorrectly and a better way to approach a similar problem in the future. I even got to see the tool used to open the lock and now know that warded padlocks are quite different than modern pinned locks. I was also inspired to jog down there which doubled the function of my sojourn into a chance for healthy exercise, and I was inspired to know that was seemed impossible to me took only thirty seconds for someone with more experience to accomplish.

You might ask yourself  “Why did I just read this article? It’s not even about hacking!” But let me tell you as a security researcher and business owner, and someone who has come into contact with the intelligence apparatus and defense contractors, with deep cover experience and lots of fieldcraft expertise, this is precisely how you learn to hack (even computers!). Sometimes the tool you think you need to do a DDoS can’t put out enough juice, or maybe the script you ran last week for some reason isn’t working this time, maybe that link you clicked was a spear phish and now you’ve got a JAVA rootkit on your box. . .

Trust me the way is straight and narrow is the gate. The obstacles are many and they will increasingly thwart your operational progress. This is when the script kiddie n00bs who ask me on Facebook “How do I hack?” will crumble and falter. If you want to hack, you have to solve your problem and it may or may not have anything to do with the computer, the Kali Linux terminal—you may have to use a trick.

FOOTHILLS FASHION MALL UNREQUESTED REDTEAM SECURITY ANALYSIS by Briq|Haus Ltd.

Purpose & Intent

BRIQ | HAUS LTD. SECURITY & INTELLIGENCE intends to interface and contract with other professionals and services to create customized logistical and analytical solutions for our clients while developing innovation at a physical headquarters.

This is the mission statement of my company, whose design is security-centric with the purpose of providing private sector security analysis on contractual basis. On October 10th, 2017, the owner/operator, myself, Robert Brooks Authement, went to the mall to try out the new city gym. In approaching the mall I was astounded at the countless abundance of security vulnerabilities I witnessed, so I pulled out my camera and began with great intentions a meager and cursory security analysis of the structure, personnel, and network integration present.

As a disclaimer, I am a rather unconventional thinker, which may be viewed from the narrow concept that would label such perspective a danger, or from the considerate standpoint that perhaps unconventional methodology such as I present here may in fact be an advantageous asset with which to ally oneself and one’s company.

Entry Into Building

I was chagrined to have entered the complex on foot from the south, coming up from Horsetooth road passing between the construction area near the sleep store to the west, and the facade of the Marriot Hotel to the east. As I entered the complex on foot, my path took me directly to an abutment and not a single sign nor portal within the mall could be located. I found this to be incredibly poor design, as I should have been met with an entrance to at least some retail business and perhaps signs with advertisements. Check 1; poor user experience based on un-mindful design.

I walked around the exterior of the building, and lo and behold, the first and only way inside I found was a backdoor which was PROPPED OPEN. Surely this was an “employee only” portal, but a gentleman within pointed through the hallway to how I may actually reach the mall, and my destination, the new city gym.

Further Exploration

I made it through my workout and put on my secret normal person costume. Here I perform a couple of feats of social engineering to be enjoyed by you and your affiliates. What am I doing? I’m demonstrating the effortless ease with which I can interpenetrate the supposed ‘boundaries’ of the establishment and even seamlessly bypass the scrutiny of onsite employees. Later I will demonstrate major defunct operability of the mall security team.

What Security???

Advantage Security Inc. was the chosen contractor to protect the people and assets of this multi-business establishment. Surely bigger does not mean better, as this under-equipped but highly versatile security analyst will demonstrate. My initial contact with security was brief and on the up and up, but what followed was demonstrably laughable in the confusion that ensued. Check 2; poor choice and lack of training/oversight for so-called ‘security staff.’

The Byzantine Attack, Bust, and Near-Meltdown

Your team will kindly forgive my resulting to use the vernacular during this video. I was followed outside by the security staff whom had taken to their neat-o rent-a-cop-mobiles. Despite walking away on friendly terms and having literally explained my intention and purpose for being there in clear and concise language, the team decided that since there was absolutely nothing to do, that I must be the lowest hanging fruit and therefore a legitimate threat. I entered the building at another side and then the team had positioned themselves in the center where I approached.

I pulled out my phone and told Blueteam Leader Captain Andrew, “Check this out.” With a $30 phone purchased off eBay I performed in less than 60 seconds time an effective cybersecurity audit of the pubic wifi network. Without going into the boring details of how I did that, the story continues by Andrew informing me that I would have to leave for the day because I was not “allowed to do ‘that’ or record at the mall.” Not allowed to record at the mall??? Oh I think he meant that I would not be allowed to record their lackadaisical and in my humble opinion totally insufficient security protocols and behavior. I acquiesced to the demand, but I put the personnel to a stress test by escalating the situation with language. No harm, no foul, they did perform professionally under the stress however my main analysis is that their aim was wrongfully directed at me as a danger.

I feel I should have been brought in and interviewed regarding my tradecraft and security expertise, however their behavior was key in encouraging me to follow through with due diligence and present my case to your team.

And as a disclaimer, my adrenaline was up from the quasi-confrontation so you will kindly allow for the little f-bomb I drop in here. This is what I mean by unconventional. Effective; but unconventional.

Last But Not Least. . .

One more little accident waiting to happen here.

Conclusive Analysis

Bigger is not always better! I remember the previous incarnation of our lovely town mall, and the present structure reminds me so much of a jail. Surely it was built to “trap” the tourists between the retail and restaurants/entertainment venues like some sort of citadel. Clearly the design was made by person’s whose main attention is to profitability and raising the bottom line. From the standpoint of this plucky and intrepid security analyst, wealth without security is only a target.

Check 3; total assessment = vulnerable. This facility is open season for petty thieves, grand larceny, social engineering and confidence schemes, network infiltration and identity theft, and would-be attackers with malicious intent. From my standpoint the Fort Collins Foothills Fashion Mall totally fails the BRIQ | HAUS LTD. SECURITY & INTELLIGENCE unrequested redteam security audit. Judging from my insider sources of DC employers, a great deal of people coming to Fort Collins for its charm and quiet appeal are either members of the United States Intelligence Community or War Veterans and Ex-Military or Government personnel. These people are extremely security conscious, and will see the flaws present in the design and systems integration of the mall. They may not pay much heed to the thought, but subconsciously, they will know that it is not a safe place.

The infrastructural vulnerabilities and risk exposure are just too numerous to count. Take a walk with me and I’ll show you, for a small consultation fee.

The network vulnerability is typical of public networks, however an astute system administrator can patch these vulnerabilities and make them go away.

With the 2017 holiday season incoming it is highly advisable to protect not only your property and investment, but the families of customers who go to the mall hoping for a peaceful and safe shopping experience. Thank you for reading my report, I can be reached at the following e-mail:

mailto:briqhausltd@gmail.com

Respectfully submitted this 10th day of October, 2017,

Sir Robert Brooks Authement; Owner/Operator

BRIQ | HAUS LTD. SECURITY & INTELLIGENCE