[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Snake Bytes - The Perfect Jewelry Heist


By RSnake
January 3, 2008 

Years ago, the concept of a blended attack was all the rage in infosec 
magazines. I remember lots of CISOs running around and spreading that 
buzzword, while talking to every industry analyst who would listen about 
how blended attacks were almost unstoppable. The concept of combining 
unrelated penetration techniques was foreign and exotic. Today it's 
often employed by the more sophisticated attackers.

The new CourtTV show called Tiger Team does a wonderful job of 
highlighting the blended attack. Rather than talking about it in an 
academic environment, they actually show the audience the damage a 
technically savvy group of security experts can do.

One particular scene demonstrated how the perfect combination of IT 
security, physical security, and electronic countermeasures can pull off 
the perfect jewelry heist.

The first step the Tiger Team took was to procure information from a 
drive on the computer of a receptionist at the jewelry store, which they 
did by social-engineering her into inserting an infected USB dongle into 
her computer under the premise of asking her to print something. Later, 
they cloned an HID badge from the manager of the store, and then used it 
to break into the office after hours, crawling along the floor beneath 
the motion sensors -- only to have the alarms go off, anyway.

At that point, the show appeared to be over, with the team failing to 
complete mission without getting caught. But not so: They made a mad 
dash to the back room and entered the combination for the alarm code 
which they procured from the desktop machine. They quickly snipped the 
RJ11 phone connection and used a signal jammer so the wireless modem 
couldnt dial out, so that they got complete access to the office. After 
some panicky moments of nearly getting caught, they proceeded to use 
some common tactics for breaking into the safe in the owners office. 
They made it out safely, leaving a Polaroid of themselves wearing the 
most valuable items in the store. They had successfully simulated an 
actual robbery.

While there are only a handful of people who could pull off a heist like 
this from the outside, its far more likely that components of this 
attack could have been pulled off much easier by someone on the inside. 
So apparently blended attacks are back -- even if they really only make 
for good reality TV. So yes, its on my DVR, where it will stay. Cool 

- RSnake is a red-blooded lumberjack whose rants can also be found at 
  Ha.ckers and F*the.net. Special to Dark Reading

Visit InfoSec News