[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Snake Bytes - The Perfect Jewelry Heist
January 3, 2008
Years ago, the concept of a blended attack was all the rage in infosec
magazines. I remember lots of CISOs running around and spreading that
buzzword, while talking to every industry analyst who would listen about
how blended attacks were almost unstoppable. The concept of combining
unrelated penetration techniques was foreign and exotic. Today it's
often employed by the more sophisticated attackers.
The new CourtTV show called Tiger Team does a wonderful job of
highlighting the blended attack. Rather than talking about it in an
academic environment, they actually show the audience the damage a
technically savvy group of security experts can do.
One particular scene demonstrated how the perfect combination of IT
security, physical security, and electronic countermeasures can pull off
the perfect jewelry heist.
The first step the Tiger Team took was to procure information from a
drive on the computer of a receptionist at the jewelry store, which they
did by social-engineering her into inserting an infected USB dongle into
her computer under the premise of asking her to print something. Later,
they cloned an HID badge from the manager of the store, and then used it
to break into the office after hours, crawling along the floor beneath
the motion sensors -- only to have the alarms go off, anyway.
At that point, the show appeared to be over, with the team failing to
complete mission without getting caught. But not so: They made a mad
dash to the back room and entered the combination for the alarm code
which they procured from the desktop machine. They quickly snipped the
RJ11 phone connection and used a signal jammer so the wireless modem
couldnt dial out, so that they got complete access to the office. After
some panicky moments of nearly getting caught, they proceeded to use
some common tactics for breaking into the safe in the owners office.
They made it out safely, leaving a Polaroid of themselves wearing the
most valuable items in the store. They had successfully simulated an
While there are only a handful of people who could pull off a heist like
this from the outside, its far more likely that components of this
attack could have been pulled off much easier by someone on the inside.
So apparently blended attacks are back -- even if they really only make
for good reality TV. So yes, its on my DVR, where it will stay. Cool
- RSnake is a red-blooded lumberjack whose rants can also be found at
Ha.ckers and F*the.net. Special to Dark Reading
Visit InfoSec News