in Features

The blag market

Posted 28 September 2018 · Add Comment

African governments, companies and organisations are becoming increasingly adept at strengthening their security to fend off cyber attacks. Now, as Steve Knight reports, they face a new threat – the rise of the ‘blagger’.

Cyber-security – particularly in the government and corporate arenas – is improving throughout Africa, forcing some criminals to switch tactics.
Still desperate to acquire sensitive information, a new, plausible breed of law-breaker is now finding ways to physically enter premises to access data and other vital intelligence.
Using a number of different methods, these conmen (and women) find ways of breaching organisational security using the weakest link – people.
Security specialists are fighting back and now one UK company is offering its services throughout the continent, demonstrating to government organisations and major companies how easy it is for one or its operatives to penetrate their defences.
Leading cyber-security company, C3IA Solutions, based in Dorset, has a number of operatives who carry out this type of ‘penetration testing’. It works in the defence and security sectors, for government departments and within industry – serving both SMEs and multi-national firms.
The specialists use elaborate techniques in order to gain access and trust. They call it ‘social engineering’ and often make use of social media to research and make contact with their targets.
One C3IA Solutions operative, who remains anonymous for obvious reasons, said: “I get asked to try and breach all types of organisations and usually start by researching their staff. I have a number of false identities that I use to make contact with them on social media and on LinkedIn. With this information, I can then decide how best to target the business.
“Often clients want me to take a photo in a secure part of their premises or access databases or ‘steal’ customer details or invoices. I’ll then pretend to be a new employee or from their IT support and, because I have a bit of knowledge and information, I’m often just waved through.”
This was born out recently when he tailgated another vehicle into the site of a repair and maintenance facility for ‘secure’ emergency services communications systems, took up a ‘hot desk’ seat and interviewed a member of staff on security procedures for 30 minutes, claiming to be an internal auditor.
“The weakest part of any organisation is its people,” said the operative. “They are trained to be helpful, so when someone asks for something their instinct is often to hand it over without question.”
In another recent ‘sting’ operation, the operative posted a CD with a company logo and printed instructions to a software developer, with a request to complete an urgent systems update and send information back to an e-mail address. This was carried out by staff after they had consulted their information security manager (remotely) and been assured the request was legitimate.
“There are numerous other methods I use and, although occasionally I’ll ‘trip the wire’ and get caught, I am usually able to breach security,” explained the operative.
One of the simplest methods of extracting information is vishing (voice phishing – phoning and requesting information). A C31A operative recently used a number of phone calls to persuade the manager of a ‘secure’ outsourced service desk for a sensitive law enforcement agency that he was an internal IT auditor. He extracted sensitive information and also arranged to be invited onsite to continue the audit.
“It’s a real eye-opener for some companies as to just what we can do,” said the operative. “Often this type of social engineering activity will be done alongside checking the computer systems by ‘penetration testing’ and means we can provide a detailed security report with recommendations,” he added.
Tactics will change depending on the part of the world in which the company is working.
“It is relatively easy for a UK national to pass himself off as a different kind of UK national in an English-speaking domestic environment,” explained the operative. “However, in Africa, social engineering activities will often be less straightforward and greater preparation, reconnaissance and stealth is required.
“Africa is a vast continent with several distinct cultures, many different languages, and few, if any, unifying themes. Knowledge of local customs in Mombasa may not translate to success in Marrakech. Background research and the addition of intimate local knowledge, therefore, is vital if a task is to be scoped for feasibility and then executed effectively.
“For example, we would observe the pattern of life at a physical security checkpoint and understand the cultural and ethnic variables at play – who gets waived through; who gets a forensic check; what level of language interaction is expected etc?
“A good example of this is airport security, where there is a reliance on technical countermeasures and methods of detection (e-passports, scanners), a plethora of agencies and moving parts, and the potential to identify vulnerabilities in between these sequences of activity.
“In these situations, for the social engineer, the two must-haves are time (to observe, to plan, to exploit an identified vulnerability) and a copy of the ‘Rough Guide’ to an area, to ensure that at least a base level of cultural knowledge is understood and utilised.”
Africa also poses another different problem for the social engineer.
“There is the increased physical danger from the commonality of lawless or ungoverned zones, terrorist organisations, armed populations and routinely armed police and security guard forces, which you may not ordinarily face in the UK or Europe,” explained the operative.
“Using local resources as either advisors or, as appropriate, operators, is an option which may be effective under certain circumstances, but needs to be carefully managed in terms of skill level, knowledge transfer and, of course, duty of care.”
Matt Horan, who founded C3IA Solutions in 2006 with Keith Parsons, added: “We have noticed a sharp rise in demand for our social engineering service. We often tell businesses whose cyber-security we’re responsible for that they are leaving themselves wide open to attack from other areas.
“Proving this by sending in an operative is usually quite an eye-opener for clients and really focuses their minds on their security and training for staff.
“Training, education and improving the awareness of staff can greatly reduce the likelihood of an intruder gaining access and the negative impact should they succeed.”

* required field

Post a comment

Other Stories
Latest News

Satcom Direct names Evgeniy Pashkov regional director EEMEA

Satcom Direct, the business aviation solutions provider, has appointed Evgeniy Pashkov as regional director for EEMEA.

USD 1.8 trillion global investment needed for aviation infrastructure modernisation by 2030

The required modernisation of aviation infrastructure expansion, development, and modernisation to cater to anticipated increase in passenger and freight air traffic demand will reach USD 1.8 trillion by 2030.

Vega made 13th successful launch Orbits MOHAMMED VI-B satellite for the Kingdom of Morocco

Vega accomplished last November 21, a flawless launch from Europe’s spaceport at the Guiana Space Centre (CSG), orbiting the MOHAMMED VI-B satellite for the Kingdom of Morocco.

Pineau promises a vintage year

The sixth running of Morocco’s Marrakech Air Show takes place from October 24-27 at the country’s Base Ecole des Forces Royales Air – the prestigious Royal Air School. The school’s director, Gaël Pineau, tells Vincent Chappard about

Ethiopian and EU start Ethio-European international business school

Ethiopian Airlines and the European Union Delegation to Ethiopia have signed a letter of intent to establish Ethio-European International Business School (EEIBS).

Kenya’s Airport Authority prepares for adoption of online Cargo Service Quality tool

Kenya is set to become the first country in the world to adopt TIACA’s new Cargo Service Quality (CSQ) tool nationwide, in a bid to improve standards at all airports across the country.

TAA SK1009311218
See us at