New Yorkers toil in a city of haggard indifference. Heading off to work each morning, coffee in hand, our shirts are ironed. At the office, employee badges and two-step email verification grant us access for the day. Internal documents are shared across WiFi protected by long, complex passwords. At work, we are safe. We step outside for lunch or coffee or the midday stroll. Then we become targets.
On a balmy spring afternoon, Ian Amit stands at a counter in a Starbucks in Midtown Manhattan. As customers check Facebook, Twitter and Gmail through the free and open AT&T Internet, Amit monitors it all. One keystroke could activate a script that would capture all the information passing through the network. He could, but he refrains. It is not ethical, and in his words, “less legal.”
As the director of security services for IOActive, a firm that offers comprehensive computer security services, Amit is a problem solver. Today’s demonstration at the Starbucks is a look at open source intelligence, or OSINT, and how the trail of data left by the most innocuous of tasks carried out on smartphones map out day-to-day activities that coalesce into a vivid portrait of everyone’s lives. As a corporate security specialist, it makes for an easy day at work.
“Don’t check your email,” he says, plugging an external wireless antenna into his laptop. He shields the antenna in his black backpack on the ground. To anyone watching, it looks as if he’s charging his phone and connecting to an external device, as his penetration and security tools boot onscreen in small command windows.
“It’s not about the tool. The tool is irrelevant,” he says once code begins streaming across the screen like something out of the 1995 film “Hackers.” “The data is already out there.”
But the coffee shop is child’s play compared to his real work — the clandestine operations known as “red teaming.” A red team is a group of security specialists, usually with military experience, that functions without much regulation in the private intelligence sector. They challenge organizations to improve effectiveness in security by, among other things, breaking into systems to expose vulnerabilities.
While the technique is rooted in military operations, it is frequently used in real world and civilian operations, some of which happen every day, right before our eyes.
* * *
Though he has the power to steal a Starbucks customer’s identity while they’re waiting for their latte, Amit is one of the security professionals whose life’s work is keeping data safe.
As Amit explains it, most of what we see as security — the two-step passwords, the ID cards — is the idea of security, not security itself. In that way, security efforts rarely focus on the one or two outliers. Rather, they choose to manifest as long lines and security checkpoints, providing a sense of security through large signs and heavily armed guards. “Security theater,” as it’s called in the business: the TSA agents and Paul Blart mall cops of the world. Red teams, on the other hand, are practitioners in the art of security, attacking from every direction, beyond the metal detectors and security patrols, until they expose weaknesses and propose fixes to fortify them.
Members of these teams are often former military personnel and are considered, in hacking terminology, “penetration testers.” Amit oversees about a dozen employees, though he contracts out work for different red team operations.
IT companies like IBM and SAIC, as well as a litany of federal agencies, all use teams like this — sometimes referred to as “tiger teams” — to reverse engineer security processes and business operations in order to spot weakness that would uncover gaps in security.
These engagements can cost anywhere from tens of thousands of dollars to upward of six figures. According to Amit, few know when a team like his is on the job. Maybe one or two of the higher-ups within a company, fearing a major loss, be it through a malicious digital attack or physical break-in, know of the red team’s intentions. But even they don’t know when to expect them.
* * *
The particular skill sets needed for any red team operation vary on a project-by-project basis. Amit garnered valuable experience — analytical thinking and reasoning paired with observational techniques that go beyond the passive observer — through his time in the armed forces. He grew up in Tel Aviv, tinkering with computers and gadgets — taking apart televisions, as he puts it, to find the little green man inside — before spending four years in the Israeli Defense Forces.
In the IDF he was a tank driver, air force cadet and a tank company commander. Once he left, in 1998, there were newer and faster computers to work with that far surpassed the tinkering he managed as a boy. The personal computer had evolved into the Intel XT 8086 and 8088. Everything moved at a faster pace.
“One of the big tipping points for me was the catch-up after four years of not touching computers almost at all. It’s like a decade of computer innovation to catch up with,” he says. “That translated into understanding systems from the inside. Which then translated into a civilian occupation. You can consult, you can help people break it so that other people can understand the problem to fix it.”
In the past, red teaming has been featured on television shows. In one episode of “Tiger Team,” the team’s target was a Lamborghini dealership. Hired by the owner to go up against a newly installed high-tech security system, their mission was simple: gain access to the showroom and drive the brightest car out of the front door. Simple.
They began with surveillance and cased the area to learn about what perimeter security assets were in place — infrared cameras, gates, automatic locks, motion sensors. From there, after dumpster diving and recovering discarded letters from the dealership’s security company, a member of the team, disguised as a security company employee, scheduled an appointment to update their internal systems.
Dealership employees unknowingly allowed unverified, unfettered access to the computers and systems in the back office. Having unrestricted access to security feeds and automated locks, the job went unnoticed until the next morning, when the owner came to open up shop. A bright yellow Lamborghini was missing from the showroom floor.
These operations team members carry their own get-out-of-jail-free cards, indemnification letters that the clients need to sign in order to engage with anything that goes beyond the more “traditional” penetration testing.
Though that is just one example of an exciting, hands-on operation, much of red teaming revolves around the intangible.
Due to non-disclosure agreements, following Amit on an operation wasn’t possible, but he offered insight into malicious software hacking and other digital attacks we might otherwise never see, both on the national and private scale.
“My observation starts with: what is your business about?” Amit says, standing by his laptop, the screen a mix of scrolling white and green text. “What would pain you the most? The teams I would assemble would have those kind of skill sets.”
He’s well supplied to observe and execute operations — physical or digital — at any moment, His black vinyl L.A. Police Gear tactical backpack holds a litany of tools used in the field, including:
•Black mylar balloons used to slip under doors. Once inflated, they rise to unlock motion detectors and other infrared sensors.
•A preconfigured Raspberry PI mini computer. These credit card-sized computers are inexpensive and available to any DIY enthusiast. In this particular usage they are deployed for passive data collection and retrieved at a later time.
•Extended-range WiFi antennas.
•Elevator keys for all major brands.
•Putty clamp for making copies of keys.
•GPS tracker used for tailing targets.
•A Software-designed radio.
•Shove knife for lock picking, and a lock pick set with pick gun.
•A file for shaving down blank keys.
•Various wires and connectors.
•Black glasses (no explanation necessary).
“It’s purely counterintelligence, giving up a rook or a pawn just to see how the game plays out,” he says, shuffling through the bag before placing it back on the floor. “Otherwise you’re just a technician patching holes.”
Think again when you’re checking your balance at a coffee shop. As you’re looking through past purchases, cursing your low balance, your phone is pinging all available WiFi connections, trying to gain access. Then it pings the one connected to Amit’s computer.
“Everyone’s vulnerable. Running a business is just practicing risk management,” Amit says, “and we want to practice this better.”
When assessing why someone would attack a given platform, a red team first looks for what they call “threat communities.” In the case of bank accounts accessed at a coffee shop, it could be other banks trying to gain a competitive edge by souring the name of its competitor, or the infamous hacking collective Anonymous simply looking to make headlines, or possibly a bank employee who wishes his paycheck were larger.
“Then we narrow it down to threat actors,” Amit says. “We get hired to look at this and say, ‘how would you attack this?’ It’s a little easier to gauge the system from both sides, the defender and the attacker. I play both.”
If a mobile banking app can share money through a quick tap between two phones, the team might look at what would happen if a user gave someone else negative $5. Would they then take the money rather than receive an error? What if you sent someone “ABC” as the amount? Would it go through as a transaction? This is stuff that should have already been addressed by the software developers, but as Amit says, “should have is a key word.”
“I’m just here to be the mirror,” Amit says of his and his team’s role in similar operations. “It’s important to experience that for real.”
“If we would live in a perfect world, security would have been embedded in the process from the get-go,” Amit says outside the Starbucks, a cigarette in his hand. He looks around and notes security flaws at every turn — door locks, alarm systems and more — all of them merely inefficient theft deterrents.
Then again, “If everything was perfect I’d be surfing in Hawaii. I wouldn’t have a job.”
* * *
Kenneth R. Rosen writes and works for the New York Times.
Alex Schubert is a cartoonist from Kansas City. His first book, Blobby Boys, was released last year.