Challenging Security Limitations: White vs. Black Box Testing & Real Risk

1_briq_haus_ltd_38_special_logo_ad_graphic

I awoke in the middle of the night. It was the witching hour, 3am! Rapidly behind my lowered eyelids pie-graphs and charts explaining esoteric security concepts flashed in sequence, but I was too groggy to retain everything I learned. Why I am chosen for this sort of lucidity, I will never understand. This article is an attempt to best re-create the deeper concepts I received in that vision, but a week has elapsed since that night and therefore I have mostly forgotten everything. I’ll just have to wing it.

White Box Vs. Black Box

The article I have linked above describes the difference between the security, and/or software testing procedure in which internal elements are either known or unknown by the testers. The benefits of knowing the internal workings in a test allow for a more thorough and rigorous approach to each and every individual node or aspect of the subject, whereas a Redteam performing an unknown or Black Box test may not strike upon every single nuance built into the system, but may however come up with something heretofore unknown. The Black Box test is conducted exclusively by third-party security or testing professionals, which is requisite due to their specific insights into security penetration and access. For these reasons, it is considered a “low-level” test which is also known as an integration or unit test. It is conducted, in other words, from the outside working inward.

White Box tests are conducted usually by software developers or some part of the internal staff working on the project or overview. White Box tests are considered high-level tests also called system or acceptance testing. These tests are intended to fully air-tight the system after the beta-testing bugs have been detected and eliminated. The benefits of thorough White Box testing are thoroughness, insofar as the team knows the way the program or plan “should” work and can therefore test against this ideal. An internal team conducting this type of test knows the code (or building scheme; what have you), and therefore possesses an eagle-eye’s view of the entirety of the subject’s workings.

So Which Is Better For Your Company?

Before I answer this question for you, ask yourself:

  1. Do I have an internal team already providing White Box testing?
  2. Are they specifically hired for testing, or did we just divert Sheila and Burt from engineering over there to do another bug-sweep? (Remember what happened in the 1986 film Aliens.)
  3. If you have a specific internal team for testing, are they getting on well with engineering? Do they have a working rapport and are able to comprehend each other effectively leading up to the testing phase?
  4. Did you seek professional consulting from a specialized security Redteam?
  5. If you did not answer YES’ to each of the above questions, you and your company are not necessarily ready for what I am about to reveal to you in the next section.

Attrition Theory

I am not a mathematician however I think you can get behind me on this.

x/a – y/b = (+, – = successful, unsuccessful)

Attrition Theory basically asserts that given company with resources (personnel, training level, security architecture, security equipment, surveillance, etc.) when attacked by competitor (or OpFor) with resources y, a simple subtraction is necessary to determine who is successful in the attack. If the OpFor is willing to invest enough time and resources into their raid on company a, their success will be indicated by the result being a negative number, having taken the amount of invested resources from company into the red.

Is your company ready for your competitor or OpFor to outbid you on your willingness to invest in preventative security measures? Following a breach, it may be too late to save face so insurance, or the ability to clean up after the fact, is just not going to be enough.

Now to answer the question I asked before: Which sort of test is better?

Chew On This

So your internal team designated another internal team to do the testing. Ok. So the engineers got with the testers and did a Power Point powwow. Sure. So then after that you decided you still thought it would be wise to get an outside team to consult. Good. They do their scans and don’t really provide any insight beyond the scope of the White Box team, but good on you for checking. So you’re awesome, right? Invulnerable!

BRIQ | HAUS LTD. SECURITY & INTELLIGENCE has the guts to ask you these hard questions:

  1. How secure is your facility/program in case of a fire drill? Do you have protocols in place to handle securing end-user’s data BEFORE they flee the scene?
  2. What about in case of a REAL FIRE. And are you willing to test this in a non-drill scenario to absolutely ensure your security protocols work?
  3. Is your staff alerted to the higher danger of active shooters, like the scenario recently at YouTube? If so, do you again have a plan in place to protect end-user data from a potential shooter or *gasp* terrorist attack?
  4. What about acts of God like locusts, plague, or you know, floods? Are you guys going to not only get out of the building safe, but will you be able to stop Boris & Natasha from killing Moose’n’Squirrel during the disaster? For the OpFor, luck is when preparedness meets opportunity.
  5. If you didn’t answer ‘YES’ to each of the above questions, you need to contact us at BRIQ | HAUS LTD. SECURITY & INTELLIGENCE and immediately schedule consultation. Our information technology and intelligence community professionals know things that can protect your bottom line, so you can stop worrying about all the hard realisms I just threw at you.

My name is Robert Brooks Authement, owner and operator of Briq Haus Ltd. I think like the bad guys so you and your team don’t have to. If you think these insights can be of assistance to you and your company, please consider me and my team at your service.

kinopoisk.ru

 

Advertisements

Friday / Field Day – Anomaly Detection & Navigation In The Construct

Bad_Robot_Productions_logo

Following the time I spent in Washington DC, and my clandestine studies with colleagues in the field and in security sandbox environments, I developed a sort of counterintelligence awareness I can only compare to a psychic sixth sense. And while I take the time in this article to describe something which came to my awareness, I will not bend your ear to my weird and eldritch technologies. The purpose is not to “make a believer” out of you, but rather just an exposition of what I have noticed while exploring my local environs, especially following my development of this level of security and counterintelligence awareness.

Fort Collins, Colorado, as I have described in my original security blog post Hacking USA, is a drinking town with a college problem. Over the years it has grown significantly mostly due to Forbes and other magazines labeling it as the “No. 1” place in America to live. Needless to say, this has become problematic for me insofar as well, incredible amounts of unfamiliar faces showing up in familiar places triggers a sort of security alarm in my mind. It could be imagination, or it could be accurate assessment, that perhaps the unfamiliar faces are some sort of security or intelligence apparatus operating in what used to be “my field.”

Not only are there lots of new faces, but as the large groups of people move into my field, they are in fact generally wealthy folk, or at least generally more wealthy than me. So as I watch the phenomenon evolve, I see whatever used to at one time be familiar to me become increasingly marginalized and made scarce. These are the socio-economic changes I have observed in the local field, but what other elements may be at play?

ELECTRONIC INTELLIGENCE OPERATIONS

The reason for entitling my article “Friday / Field Day” has something to do with the less visible and only subtly observable phenomenal dynamics as represented by group behaviors and expressions observed in my local field. At times when I go out, I observe the quality of persons and operational intelligences in my field. Friday is an especially fortuitous day to do this. Not only do people get paid on payday, or out of school or their work week or what have you, but there is another level to Fridays that may relate to what are termed by the National Security Agency as Electronic Intelligence Operations.

What I am proposing, and bear with my wild suppositions, but what I believe is actually occurring is a sort of frequency distribution behavioral modification technology in deployment, especially in higher population densities. An Electronic Intelligence Operation (ELINT) occurring in public places with the deployment of biosensors, or even just radio technologies which are known to affect the human central nervous system, can cause a group behavior phenomenon to express itself even visibly among humans. In a similar fashion to a school of fish using their lateral line organs to detect the movement of the group, human behavior can similarly be controlled or directed by the influence of ELINT.

I’m not sure that I’ll be going out every Friday to observe the group dynamics of the field. I do, however, encourage you as a fellow security researcher to note the subtle behaviors and attitudes and expressions of the groups witnessed afield, and how they subtly differentiate between the days of Friday and Sunday.

Getting Started With Security: $38 SPECIAL

8363832-Euro-bank-notes-with-a-lock-and-chain-Money-stack-for-safety-and-investment--Stock-Photo

Security Is A Commodity; We Make It Easy To Buy

Let’s cut the cake. “Wealth without security is only a target.” Right now security is in high demand. As the risk platform of all domains is rapidly expanding so are the needs to stop gaps and fill roles in corporate, international, and digital security. Large scale cyber attacks committed by criminal elements and state actors are having real and lasting effects on the way business is being conducted online, with the potential to stop or even steal critical financial data transmissions.

HERE’S THE DEAL: Sign a year contract with us for $100, and pay only $38 a month for:

  1. Monthly network scans and audits, and a stress test to ensure DDoS protection.
  2. Access to our security experts for consultation phone calls. Consultation on activities outside and beyond the scope of this contract will incur relevant fees.
  3. Incident response in case of any breach or security concerns.
  4. A monthly email newsletter with our combined meta-analysis of the present risk-platform as expressed in the global and digital domains.
  5. An easy way to upgrade or update your security plan with BRIQ HAUS LTD. SECURITY & INTELLIGENCE.

Sandbox To Fieldcraft: Ditching The Simulation

collage-2017-11-18

Playing In The Sandbox Is For Kids

[excerpt definition from Wikipedia]

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.[1] A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.

In the sense of providing a highly controlled environment, sandboxes may be seen as a specific example of virtualization. Sandboxing is frequently used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device.[2]

All hackery aside, let’s take a step back and look at this in legitimate focus. The sandbox is a place designated for childplay. There is a spot on the playground, usually where the swings and other hardware are located where a pit is dug out and filled with sand on which the children play. The sand not only provides a medium with which the children can build the castles they envision, but a soft ground from which the blunt trauma of falling from a height may affect. I know this, because as a youngster I was a daredevil and jumping from a swing set led to a slight fracture of my radius. Thankfully, for the sand, I did not have to experience any worse of a consequence from my intrepid and frankly stupid maneuvers.

The same children playing in the sandbox are the ones whom grow up to perchance die on the beaches of theatre. I agree that this is an extremely stark comparison, with some grim consequencese for casual ignorance. Perhaps, conceptually, the idea of swords to ploughshares may be a goal to keep in mind, however the fallacy of importing only butter and no steel may spell the doom of an enterprise, or generation. There is not better time to take the kids out of the sandbox and drop them onto the beaches of conflict than right now. That’s because learning in a simulated environment is akin to handicapping the process by which we operate during mission critical scenarios.

Translated For Security Measures

Briq Haus Ltd. Security & Intelligence operatives are fully versed and trained in both aspects of security operations; sandbox and fieldcraft. While the benefit of practice in a secluded environment separate from the harsh realities of consequence and effect may be evident in reports and documents, it is a rare thing that during real-time security exercises and operations that enough streaming data is retained for the intention of creating some slide-show or powerpoint presentation. In the real world, there are ongoing causal relationships between the interplay of hostile foreign intelligences and mission-specific imperatives. The continuing dynamic and morphic environment of the field require out-of-the-box thinking, not delusional but rather unconventional.

Between the combined expertise of our information technology and intelligence community professionals, Briq Haus Ltd. not only boasts the boardroom banter to deliver effective presentation and slideshows as per sandbox experimentation dictates, but we have tried-and-true tested in the trenches fieldcraft experience in being exposed to the evolving risk dynamic and threat platform wielded by hostile foreign intelligences co-operating within the framework of real-world, non-simulated ongoing security operations. Being increasingly tested above and beyond the imagined or preset boundaries of a security experiment within a sandbox environment forces the experts on my team to constantly and consistently demonstrate proof-of-work mastery of security implementation and product deployment in the professional corporate theatre. We are not corporate goons, nor are we classroom geeks, we are ex-military and intelligence professionals with backgrounds ranging from digital to physical warfare, and with experience in advanced security environments actualizing each domain of the security spectrum; physical, logistical, analytical, and digital.

Professional Security Assurance

By consigning your security requirements to the oversight and analysis of the Briq Haus Ltd. team, you are ensuring that the utmost precision and dedication is applied to discovering, identifying, and patching any and all vulnerabilities in your business or other operation. The Briq Haus Ltd. “Perfect Security Suite” is your one step solution to have all your concerns handled and put to ease by our experts in these and all related regards. We are not discouraged or daunted by any of the present dangers lurking among the faceless corporate mass. We know that any single entity may wear the mask of friend, and turn out to be a formidable adversary or inside threat.

Briq Haus Ltd. Security & Intelligence is not limited by our challenges; but rather, we challenge all limits. Contract with us today, and rest at ease that your security concerns are in the hands of serious and capable operators. Thank you for considering us.

 

FOOTHILLS FASHION MALL UNREQUESTED REDTEAM SECURITY ANALYSIS by Briq|Haus Ltd.

Purpose & Intent

BRIQ | HAUS LTD. SECURITY & INTELLIGENCE intends to interface and contract with other professionals and services to create customized logistical and analytical solutions for our clients while developing innovation at a physical headquarters.

This is the mission statement of my company, whose design is security-centric with the purpose of providing private sector security analysis on contractual basis. On October 10th, 2017, the owner/operator, myself, Robert Brooks Authement, went to the mall to try out the new city gym. In approaching the mall I was astounded at the countless abundance of security vulnerabilities I witnessed, so I pulled out my camera and began with great intentions a meager and cursory security analysis of the structure, personnel, and network integration present.

As a disclaimer, I am a rather unconventional thinker, which may be viewed from the narrow concept that would label such perspective a danger, or from the considerate standpoint that perhaps unconventional methodology such as I present here may in fact be an advantageous asset with which to ally oneself and one’s company.

Entry Into Building

I was chagrined to have entered the complex on foot from the south, coming up from Horsetooth road passing between the construction area near the sleep store to the west, and the facade of the Marriot Hotel to the east. As I entered the complex on foot, my path took me directly to an abutment and not a single sign nor portal within the mall could be located. I found this to be incredibly poor design, as I should have been met with an entrance to at least some retail business and perhaps signs with advertisements. Check 1; poor user experience based on un-mindful design.

I walked around the exterior of the building, and lo and behold, the first and only way inside I found was a backdoor which was PROPPED OPEN. Surely this was an “employee only” portal, but a gentleman within pointed through the hallway to how I may actually reach the mall, and my destination, the new city gym.

Further Exploration

I made it through my workout and put on my secret normal person costume. Here I perform a couple of feats of social engineering to be enjoyed by you and your affiliates. What am I doing? I’m demonstrating the effortless ease with which I can interpenetrate the supposed ‘boundaries’ of the establishment and even seamlessly bypass the scrutiny of onsite employees. Later I will demonstrate major defunct operability of the mall security team.

What Security???

Advantage Security Inc. was the chosen contractor to protect the people and assets of this multi-business establishment. Surely bigger does not mean better, as this under-equipped but highly versatile security analyst will demonstrate. My initial contact with security was brief and on the up and up, but what followed was demonstrably laughable in the confusion that ensued. Check 2; poor choice and lack of training/oversight for so-called ‘security staff.’

The Byzantine Attack, Bust, and Near-Meltdown

Your team will kindly forgive my resulting to use the vernacular during this video. I was followed outside by the security staff whom had taken to their neat-o rent-a-cop-mobiles. Despite walking away on friendly terms and having literally explained my intention and purpose for being there in clear and concise language, the team decided that since there was absolutely nothing to do, that I must be the lowest hanging fruit and therefore a legitimate threat. I entered the building at another side and then the team had positioned themselves in the center where I approached.

I pulled out my phone and told Blueteam Leader Captain Andrew, “Check this out.” With a $30 phone purchased off eBay I performed in less than 60 seconds time an effective cybersecurity audit of the pubic wifi network. Without going into the boring details of how I did that, the story continues by Andrew informing me that I would have to leave for the day because I was not “allowed to do ‘that’ or record at the mall.” Not allowed to record at the mall??? Oh I think he meant that I would not be allowed to record their lackadaisical and in my humble opinion totally insufficient security protocols and behavior. I acquiesced to the demand, but I put the personnel to a stress test by escalating the situation with language. No harm, no foul, they did perform professionally under the stress however my main analysis is that their aim was wrongfully directed at me as a danger.

I feel I should have been brought in and interviewed regarding my tradecraft and security expertise, however their behavior was key in encouraging me to follow through with due diligence and present my case to your team.

And as a disclaimer, my adrenaline was up from the quasi-confrontation so you will kindly allow for the little f-bomb I drop in here. This is what I mean by unconventional. Effective; but unconventional.

Last But Not Least. . .

One more little accident waiting to happen here.

Conclusive Analysis

Bigger is not always better! I remember the previous incarnation of our lovely town mall, and the present structure reminds me so much of a jail. Surely it was built to “trap” the tourists between the retail and restaurants/entertainment venues like some sort of citadel. Clearly the design was made by person’s whose main attention is to profitability and raising the bottom line. From the standpoint of this plucky and intrepid security analyst, wealth without security is only a target.

Check 3; total assessment = vulnerable. This facility is open season for petty thieves, grand larceny, social engineering and confidence schemes, network infiltration and identity theft, and would-be attackers with malicious intent. From my standpoint the Fort Collins Foothills Fashion Mall totally fails the BRIQ | HAUS LTD. SECURITY & INTELLIGENCE unrequested redteam security audit. Judging from my insider sources of DC employers, a great deal of people coming to Fort Collins for its charm and quiet appeal are either members of the United States Intelligence Community or War Veterans and Ex-Military or Government personnel. These people are extremely security conscious, and will see the flaws present in the design and systems integration of the mall. They may not pay much heed to the thought, but subconsciously, they will know that it is not a safe place.

The infrastructural vulnerabilities and risk exposure are just too numerous to count. Take a walk with me and I’ll show you, for a small consultation fee.

The network vulnerability is typical of public networks, however an astute system administrator can patch these vulnerabilities and make them go away.

With the 2017 holiday season incoming it is highly advisable to protect not only your property and investment, but the families of customers who go to the mall hoping for a peaceful and safe shopping experience. Thank you for reading my report, I can be reached at the following e-mail:

mailto:briqhausltd@gmail.com

Respectfully submitted this 10th day of October, 2017,

Sir Robert Brooks Authement; Owner/Operator

BRIQ | HAUS LTD. SECURITY & INTELLIGENCE

Quantus Security Audits | Protecting Your Assets

quantus_net_experiment

For clients seeking professional penetration testing, on site infrastructural, or personal security analysis, I proudly present a thorough and rigorous audit from Quantus.

I am presently authorized sales agent for Quantus Security—offering extensive security audits for your firm to maintain your sensitive client-side data assets. Protect your bottom line and boost performance, call us today to schedule an initial assessment and competitive quote.

1-970-427-4884