The blag market

African governments, companies and organisations are becoming increasingly adept at strengthening their security to fend off cyber attacks. Now, as Steve Knight reports, they face a new threat – the rise of the ‘blagger’.

Cyber-security – particularly in the government and corporate arenas – is improving throughout Africa, forcing some criminals to switch tactics.
Still desperate to acquire sensitive information, a new, plausible breed of law-breaker is now finding ways to physically enter premises to access data and other vital intelligence.
Using a number of different methods, these conmen (and women) find ways of breaching organisational security using the weakest link – people.
Security specialists are fighting back and now one UK company is offering its services throughout the continent, demonstrating to government organisations and major companies how easy it is for one or its operatives to penetrate their defences.
Leading cyber-security company, C3IA Solutions, based in Dorset, has a number of operatives who carry out this type of ‘penetration testing’. It works in the defence and security sectors, for government departments and within industry – serving both SMEs and multi-national firms.
The specialists use elaborate techniques in order to gain access and trust. They call it ‘social engineering’ and often make use of social media to research and make contact with their targets.
One C3IA Solutions operative, who remains anonymous for obvious reasons, said: “I get asked to try and breach all types of organisations and usually start by researching their staff. I have a number of false identities that I use to make contact with them on social media and on LinkedIn. With this information, I can then decide how best to target the business.
“Often clients want me to take a photo in a secure part of their premises or access databases or ‘steal’ customer details or invoices. I’ll then pretend to be a new employee or from their IT support and, because I have a bit of knowledge and information, I’m often just waved through.”
This was born out recently when he tailgated another vehicle into the site of a repair and maintenance facility for ‘secure’ emergency services communications systems, took up a ‘hot desk’ seat and interviewed a member of staff on security procedures for 30 minutes, claiming to be an internal auditor.
“The weakest part of any organisation is its people,” said the operative. “They are trained to be helpful, so when someone asks for something their instinct is often to hand it over without question.”
In another recent ‘sting’ operation, the operative posted a CD with a company logo and printed instructions to a software developer, with a request to complete an urgent systems update and send information back to an e-mail address. This was carried out by staff after they had consulted their information security manager (remotely) and been assured the request was legitimate.
“There are numerous other methods I use and, although occasionally I’ll ‘trip the wire’ and get caught, I am usually able to breach security,” explained the operative.
One of the simplest methods of extracting information is vishing (voice phishing – phoning and requesting information). A C31A operative recently used a number of phone calls to persuade the manager of a ‘secure’ outsourced service desk for a sensitive law enforcement agency that he was an internal IT auditor. He extracted sensitive information and also arranged to be invited onsite to continue the audit.
“It’s a real eye-opener for some companies as to just what we can do,” said the operative. “Often this type of social engineering activity will be done alongside checking the computer systems by ‘penetration testing’ and means we can provide a detailed security report with recommendations,” he added.
Tactics will change depending on the part of the world in which the company is working.
“It is relatively easy for a UK national to pass himself off as a different kind of UK national in an English-speaking domestic environment,” explained the operative. “However, in Africa, social engineering activities will often be less straightforward and greater preparation, reconnaissance and stealth is required.
“Africa is a vast continent with several distinct cultures, many different languages, and few, if any, unifying themes. Knowledge of local customs in Mombasa may not translate to success in Marrakech. Background research and the addition of intimate local knowledge, therefore, is vital if a task is to be scoped for feasibility and then executed effectively.
“For example, we would observe the pattern of life at a physical security checkpoint and understand the cultural and ethnic variables at play – who gets waived through; who gets a forensic check; what level of language interaction is expected etc?
“A good example of this is airport security, where there is a reliance on technical countermeasures and methods of detection (e-passports, scanners), a plethora of agencies and moving parts, and the potential to identify vulnerabilities in between these sequences of activity.
“In these situations, for the social engineer, the two must-haves are time (to observe, to plan, to exploit an identified vulnerability) and a copy of the ‘Rough Guide’ to an area, to ensure that at least a base level of cultural knowledge is understood and utilised.”
Africa also poses another different problem for the social engineer.
“There is the increased physical danger from the commonality of lawless or ungoverned zones, terrorist organisations, armed populations and routinely armed police and security guard forces, which you may not ordinarily face in the UK or Europe,” explained the operative.
“Using local resources as either advisors or, as appropriate, operators, is an option which may be effective under certain circumstances, but needs to be carefully managed in terms of skill level, knowledge transfer and, of course, duty of care.”
Matt Horan, who founded C3IA Solutions in 2006 with Keith Parsons, added: “We have noticed a sharp rise in demand for our social engineering service. We often tell businesses whose cyber-security we’re responsible for that they are leaving themselves wide open to attack from other areas.
“Proving this by sending in an operative is usually quite an eye-opener for clients and really focuses their minds on their security and training for staff.
“Training, education and improving the awareness of staff can greatly reduce the likelihood of an intruder gaining access and the negative impact should they succeed.”