I found this story yesterday and was quite confused as well, because in the YouTube video of him telling the story that they link, he just leaves that part out. But in the audio at the top of the page (and the transcript), he explains it.
It is covered if you hear the full podcast episode. Coincidentally, I heard the episode only last week and was one of my favourite episodes from this podcast so far.
Actually had similar experience pen-testing a large financial institution. Was plotted up in their training room and was circa late 90's and I had a boot floppy distro (TRINUX iirc) which had the tools I wanted (tcpdump, nmap...). So quickly turned a training PC into my terminal of choice and mapping the network out and came across an AS/400. Quickly dug out my notes upon such beasts and turned out that the shipping default accounts had not been disabled and was quickly in.
Having a look about it turned out very quickly to be a financial system that had nothing to do with the client. Actually seemed to be a case of the system was sharing data and a college of mine soon pointed out that this stunk at not only a security level but more importantly the financial services regulation. We did the report and that whole aspect got swept under the carpet and I was never asked back to that clients site ever again.
That's not the worst story of security within a financial service company/bank I've experienced but sure did start to open my eye's how interlocked some companies are with others who you would not expect for numerous reasons.
I will say that if you do find yourself in places you wasn't expecting, you do notice and notice pretty quickly and raise questions, also you start to become more mindful - "how easy would it be to social engineer penetration testers to break into a bank for you", it's a thought and more so as they would just need to engineer management to task you such a job. Not aware of that happening, but can easily see how that could be orchestrated.
>they would just need to engineer management to task you such a job.
I like the idea of social engineering management into hiring pen testers... How large a shadow organization could conceivably remain undetected on the payrolls of a large corporation, I wonder.
There's a short story in there somewhere, at the very least.
Some companies need to be tested for legal reasons or because the parent company requires it. It's often easy to tell when you're dealing with one of those from the details being incomplete or coming in late (like get the API docs 7 days into the 5-day test - so we basically didn't test, but we still have to bill the reserved time), but if it's unclear, being a little too happy with an empty report and inviting us to test another thing is another tell-tale.
Well, the report is never empty but in general it's not as if you always hit jackpot, sometimes there's a very small attack surface in a black box test (or if it's a black box because your account credentials are still not arranged...), sometimes there's a mostly default install of something and that's secure by default because a lot of people already looked at the project, or sometimes they just did a good job.
Not being invited back can be more than one thing. Embarrassing the company is one of the most effective way of losing clients, though. It also doesn't help get issues fixed because the manager will prioritize saving face over anything else, including protecting assets.
If you enable them to protect assets without looking bad using good communication... that manager will want you for every test.
If you had a back bone as a consultant your period 2 report would start with “unresolved issues from last time”, so you would very quickly have to resign due to your ethical baseline not being met. Therefore same outcome.
Thank you. I love this bit at the end of a successful demonstration:
> [The bank manager] raised his hand during this whole all-hands meeting and he says what about the free computers? Do we still get the new computers? I'm like no, I was lying to you. I'm a horrible person.
And this one after getting caught at the wrong bank:
> He calls the guy who hired us to rob the bank. They start talking and halfway through the conversation he literally says do we have to split the cost for this? At that point I realized it was probably going to be okay.
Memorys, in my young year as an electrician, our boss told us to go to a bank. We would have to install a whole new telephone installation. So we went to the bank, the lady on the front desk said, "yes I heard something about new telephones" and opened the door for us. About one hour later, we already started to work, the boss from the bank came and told us what we are doing, because they did not decide until know, what company the work would do .. so we left and guess what .. our company did not got the contract for the work :-)
It's quite possible in pentesting to end up hitting the wrong target unless you're careful.
Not as extreme as this case but, I've had cases where customers gave me the wrong IP address range for external work in the past, or where the customer had been told they had a dedicated server, when their web hosting company had actually put them on a shared host.
Yep, this. Or the team that arranges the contract (what to test, when to test it) typos the IPs (or misses a digit when copying or so).
To avoid that, in the larger orga I worked for we had a checklist for the morning-of: check signature on indemnification agreement, run a WHOIS on the provided IPs and domains. Fewer and fewer people have their own v4 ranges, but the companies that pay our rates are typically large enough to still have it. If not, they had to tell us in advance whom we should expect it to be hosted with.
The team that has initial contact also checks, but we were supposed to double check anyway and it was a good thing, too. Getting caught hacking another company is not a situation you want or be in as a security company.
Much less impressive when you know the guy works for the cousin of the bank owner, which is part of a mafioso family. This was staged as a PR move for the security firm of the cousin of the bankowner.
The Sehnaoui family is very powerful and well known in Lebanon. The guy works for the cousin of the owner of the bank. People aren't as gullible as we imagine them to be, but it's a good story for PR, resold over and over.
In this video https://youtu.be/UpX70KxGiVo
The running theme seems to be: omg its so easy to just walk in these places and rob them, the employees just let me in.
That seems an unremarkable assertion to me.
Do these corporations want all their employees to act as their private security force and secret police? I think most employees (rightly) dont give a shit if the company suffers. When it does well they dont get rewarded. They just gotta work somewhere so they can pay the rent and get food.
Your employer has the power to make you do all sorts of things. But they cant make you care.
In my experience, employers regularly exercise their power to make their employees not care. At best this is driven by a desire to limit the organization's liability, for example disciplining non-janitorial employees from picking up litter because they are afraid of lawsuits if someone throws out their back at work.
Being from Beirut, this was fun to listen to. But this type of pen-testing could probably take place at almost any bank anywhere in the world.
Generally Lebanon is quite free of "run-of-the-mill" crimes (thefts, rapes, murders). Most crimes happen in the political sphere: assassinations and mainly massive graft and corruption from the politicians who have pillaged the country for decades.
44 comments
[ 4.6 ms ] story [ 93.0 ms ] threadRight there in the article/podcast.
That's not the worst story of security within a financial service company/bank I've experienced but sure did start to open my eye's how interlocked some companies are with others who you would not expect for numerous reasons.
I will say that if you do find yourself in places you wasn't expecting, you do notice and notice pretty quickly and raise questions, also you start to become more mindful - "how easy would it be to social engineer penetration testers to break into a bank for you", it's a thought and more so as they would just need to engineer management to task you such a job. Not aware of that happening, but can easily see how that could be orchestrated.
I like the idea of social engineering management into hiring pen testers... How large a shadow organization could conceivably remain undetected on the payrolls of a large corporation, I wonder.
There's a short story in there somewhere, at the very least.
Award for excellence in pentesting.
Well, the report is never empty but in general it's not as if you always hit jackpot, sometimes there's a very small attack surface in a black box test (or if it's a black box because your account credentials are still not arranged...), sometimes there's a mostly default install of something and that's secure by default because a lot of people already looked at the project, or sometimes they just did a good job.
Not being invited back can be more than one thing. Embarrassing the company is one of the most effective way of losing clients, though. It also doesn't help get issues fixed because the manager will prioritize saving face over anything else, including protecting assets.
If you enable them to protect assets without looking bad using good communication... that manager will want you for every test.
You should have pushed for the opposite, doing the ocassional pentest to the client for life, in exchange for being mum about it.
If you had a back bone as a consultant your period 2 report would start with “unresolved issues from last time”, so you would very quickly have to resign due to your ethical baseline not being met. Therefore same outcome.
Huh? Your job is to point to issues, not to ensure they're resolved.
In the transcript, search for "A few years pass. Jason gets another call for another security awareness engagement" and read from there.
> [The bank manager] raised his hand during this whole all-hands meeting and he says what about the free computers? Do we still get the new computers? I'm like no, I was lying to you. I'm a horrible person.
And this one after getting caught at the wrong bank:
> He calls the guy who hired us to rob the bank. They start talking and halfway through the conversation he literally says do we have to split the cost for this? At that point I realized it was probably going to be okay.
Not as extreme as this case but, I've had cases where customers gave me the wrong IP address range for external work in the past, or where the customer had been told they had a dedicated server, when their web hosting company had actually put them on a shared host.
To avoid that, in the larger orga I worked for we had a checklist for the morning-of: check signature on indemnification agreement, run a WHOIS on the provided IPs and domains. Fewer and fewer people have their own v4 ranges, but the companies that pay our rates are typically large enough to still have it. If not, they had to tell us in advance whom we should expect it to be hosted with.
The team that has initial contact also checks, but we were supposed to double check anyway and it was a good thing, too. Getting caught hacking another company is not a situation you want or be in as a security company.
Tons of great episodes on this podcast. It's really a treasure.
You may have seen it in the news just over a year ago. Basically, what happens when a physical pentest goes wrong....
Fantastic response from the company those guys work for though.
The Sehnaoui family is very powerful and well known in Lebanon. The guy works for the cousin of the owner of the bank. People aren't as gullible as we imagine them to be, but it's a good story for PR, resold over and over.
That seems an unremarkable assertion to me.
Do these corporations want all their employees to act as their private security force and secret police? I think most employees (rightly) dont give a shit if the company suffers. When it does well they dont get rewarded. They just gotta work somewhere so they can pay the rent and get food.
Your employer has the power to make you do all sorts of things. But they cant make you care.
Generally Lebanon is quite free of "run-of-the-mill" crimes (thefts, rapes, murders). Most crimes happen in the political sphere: assassinations and mainly massive graft and corruption from the politicians who have pillaged the country for decades.