in Features

The blag market

Posted 28 September 2018 · Add Comment

African governments, companies and organisations are becoming increasingly adept at strengthening their security to fend off cyber attacks. Now, as Steve Knight reports, they face a new threat – the rise of the ‘blagger’.

Cyber-security – particularly in the government and corporate arenas – is improving throughout Africa, forcing some criminals to switch tactics.
Still desperate to acquire sensitive information, a new, plausible breed of law-breaker is now finding ways to physically enter premises to access data and other vital intelligence.
Using a number of different methods, these conmen (and women) find ways of breaching organisational security using the weakest link – people.
Security specialists are fighting back and now one UK company is offering its services throughout the continent, demonstrating to government organisations and major companies how easy it is for one or its operatives to penetrate their defences.
Leading cyber-security company, C3IA Solutions, based in Dorset, has a number of operatives who carry out this type of ‘penetration testing’. It works in the defence and security sectors, for government departments and within industry – serving both SMEs and multi-national firms.
The specialists use elaborate techniques in order to gain access and trust. They call it ‘social engineering’ and often make use of social media to research and make contact with their targets.
One C3IA Solutions operative, who remains anonymous for obvious reasons, said: “I get asked to try and breach all types of organisations and usually start by researching their staff. I have a number of false identities that I use to make contact with them on social media and on LinkedIn. With this information, I can then decide how best to target the business.
“Often clients want me to take a photo in a secure part of their premises or access databases or ‘steal’ customer details or invoices. I’ll then pretend to be a new employee or from their IT support and, because I have a bit of knowledge and information, I’m often just waved through.”
This was born out recently when he tailgated another vehicle into the site of a repair and maintenance facility for ‘secure’ emergency services communications systems, took up a ‘hot desk’ seat and interviewed a member of staff on security procedures for 30 minutes, claiming to be an internal auditor.
“The weakest part of any organisation is its people,” said the operative. “They are trained to be helpful, so when someone asks for something their instinct is often to hand it over without question.”
In another recent ‘sting’ operation, the operative posted a CD with a company logo and printed instructions to a software developer, with a request to complete an urgent systems update and send information back to an e-mail address. This was carried out by staff after they had consulted their information security manager (remotely) and been assured the request was legitimate.
“There are numerous other methods I use and, although occasionally I’ll ‘trip the wire’ and get caught, I am usually able to breach security,” explained the operative.
One of the simplest methods of extracting information is vishing (voice phishing – phoning and requesting information). A C31A operative recently used a number of phone calls to persuade the manager of a ‘secure’ outsourced service desk for a sensitive law enforcement agency that he was an internal IT auditor. He extracted sensitive information and also arranged to be invited onsite to continue the audit.
“It’s a real eye-opener for some companies as to just what we can do,” said the operative. “Often this type of social engineering activity will be done alongside checking the computer systems by ‘penetration testing’ and means we can provide a detailed security report with recommendations,” he added.
Tactics will change depending on the part of the world in which the company is working.
“It is relatively easy for a UK national to pass himself off as a different kind of UK national in an English-speaking domestic environment,” explained the operative. “However, in Africa, social engineering activities will often be less straightforward and greater preparation, reconnaissance and stealth is required.
“Africa is a vast continent with several distinct cultures, many different languages, and few, if any, unifying themes. Knowledge of local customs in Mombasa may not translate to success in Marrakech. Background research and the addition of intimate local knowledge, therefore, is vital if a task is to be scoped for feasibility and then executed effectively.
“For example, we would observe the pattern of life at a physical security checkpoint and understand the cultural and ethnic variables at play – who gets waived through; who gets a forensic check; what level of language interaction is expected etc?
“A good example of this is airport security, where there is a reliance on technical countermeasures and methods of detection (e-passports, scanners), a plethora of agencies and moving parts, and the potential to identify vulnerabilities in between these sequences of activity.
“In these situations, for the social engineer, the two must-haves are time (to observe, to plan, to exploit an identified vulnerability) and a copy of the ‘Rough Guide’ to an area, to ensure that at least a base level of cultural knowledge is understood and utilised.”
Africa also poses another different problem for the social engineer.
“There is the increased physical danger from the commonality of lawless or ungoverned zones, terrorist organisations, armed populations and routinely armed police and security guard forces, which you may not ordinarily face in the UK or Europe,” explained the operative.
“Using local resources as either advisors or, as appropriate, operators, is an option which may be effective under certain circumstances, but needs to be carefully managed in terms of skill level, knowledge transfer and, of course, duty of care.”
Matt Horan, who founded C3IA Solutions in 2006 with Keith Parsons, added: “We have noticed a sharp rise in demand for our social engineering service. We often tell businesses whose cyber-security we’re responsible for that they are leaving themselves wide open to attack from other areas.
“Proving this by sending in an operative is usually quite an eye-opener for clients and really focuses their minds on their security and training for staff.
“Training, education and improving the awareness of staff can greatly reduce the likelihood of an intruder gaining access and the negative impact should they succeed.”

* required field

Post a comment

Other Stories
Latest News

3-D printed parts and new materials help Rolls-Royce to engine test success

Rolls-Royce’s Advance3 engine is helping pioneer the future of civil aerospace – with 3D printed parts and the introduction of new materials helping to lead the way.

African airports determined to safeguard and secure the interests of the traveling public

ACI world director general Angela Gittens delivered a keynote address calling on aviation regulators and airports in Africa to realistically assess challenges together and implement aviation-related safety and security actions

Airbus demonstrates H125 helicopter in Addis Ababa

Airbus is undertaking a series of demo flights in Ethiopia with its robust, rugged and reliable single-engine H125 helicopter, proving its high performance in dry, high and hot operating conditions.

AAD2018 proved a great success

The 10th edition of Africa’s premier exhibition of air, land and sea technologies, held 19th-23rd September 2018 - ended with a spectacular showcasing of air-acrobatics gracing the Tshwane skies.

Falcon 8X certified for EFVS to 100 ft operations

The Falcon 8X has been certified by EASA and the FAA for an enhanced flight vision system capability that gives operational credit for poor visibility approaches down to 100 ft, greatly improving access to airports in bad weather and

Airbus exhibits ACJ319 at NBAA show

Airbus Corporate Jets (ACJ) is displaying an ACJ319 at the NBAA show, highlighting the full-size living space on offer. Operated by K5 Aviation and available for VVIP charter, this particular ACJ319 is making its airshow debut.

TAA SK1009311218
See us at
AirCargoAFA_BT220318210219AviationAfrica_BT0607280219MarrakechAirshow BT2507241018