How White Hat hackers do bad things for good reasons

Imagine you are the receptionist at the front desk of a bank around Valentine’s Day. There are countless bouquets of flowers and boxes of chocolate being dropped off for delivery to employees. You just set them aside and alert the employee upon arrival.

But what about that one box with no name on it that just says “To my love.” Taped to the box is a DVD. The delivery person says he doesn’t know who it is for, he tells the receptionist that he just delivers the packages. The receptionist wants the romantic package to make it to the intended target, so she puts the DVD into her computer in hopes it can give her a clue.

A video animation pops up on her screen of a bunny saying “I love you.” However behind the scenes an executable is placed on the computer. And now the criminal is inside the company’s network.

That deliver man was Anton Abaya, a senior assessment and compliance consultant with Accudata Systems. He was hired by the client as a “white hat hacker.” Once Valentine’s Day passed, he sat down with his client and watched the surveillance video of the employees laughing at the cute video while also eating the chocolates.

“I’ve tried all of [the social engineering situations] and have been fortunate to have been authorized by my clients to be as creative as possible. The bank was very advanced on their security protocols for unannounced visitors,” he said. However those policies were not followed in this scenario.

“My client was just as entertained as I was,” he said.

It is Abaya’s job to drop in unannounced to clients’ buildings to see how far he can get in the physical building as well as the network.

Abaya, 30, has been interested in technology from a young age. “I am part of the generation that grew up on the internet before there were any rules. I was really fascinated with the craft,” he said.

When he was around 12 years old, he started collecting computer viruses as a hobby from local stores that pirated software. All the software they copied almost always had some virus on it, he said. He would then try to find different ways to heal the infected computer. “This fascinated me at the time – I don’t why and it always has,” he said.

His early forays on the internet dabbed a bit on the “dark side,” but it never got too far where he couldn’t get back on the straight and narrow. “When I was young and my curiosity led me down dark alleys on the internet, I used my moral compass to guide me back to the light,” he said.

“Let’s just say that a long time ago I once knew where [the bad guys] hung out, was there long enough to pick up a few skills, but knew they did bad stuff. I never joined them on any of their missions, and then left when things got awkward because I was clearly not a contributing member.”

Jack of all trades

Abaya, who came to Accudata in 2008, has a background in IT hardware repair, system administration and engineering and auditing. A jack of all trades with skills that lend well to knowing the tendencies of employees. At Accudata he performs penetration testing, vulnerability assessments, risk assessments, infosec/compliance gap assessments, PCI assessments, and general infosec consulting. He said his favorite story is the one that launched his IT security career. He was an IT auditor performing his first penetration test. The target was a company with more than 80,000 systems and a staff of around 50 employees guarding it. 

Anton Abaya, a senior assessment and compliance consultant with Accudata Systems

“I remember them telling me ‘You guys will never get in. We’re tested all the time by our own [pricey infosec] consultants.’ The other IT auditors started with using nMap and Nessus. I decided to go at it a different way and was a domain admin in about 4 hours (they hadn’t even finished their nmap scans yet),” he said. “The way I got in turned out to be an unreported vendor vulnerability so it not only affected the company I was targeting, but all of the vendor’s customers. It really was not the most glamorous zero-day – I just knew enough about computers, security, and also got lucky.” 

A job of a white hat hacker usually involves some kind of deception. In another assignment Abaya was asked to spear phish. The target was the manager of Windows Systems at a university. Abaya pretended to be a student doing research for a 400-level class and convinced the manager to meet for some coffee to talk about the trade. 

“He agreed to meet and I was able to get him to trust me. Before the meeting, I emailed him a Word doc with my interview questions to give him some time to prepare for the interview. Well, the Word doc of course had my payloads. The manager of Windows Systems responded back with the ERROR message he got when he opened the Word file. It turns out he was using a Mac… the manager of Windows Systems was using a Mac! I learned a hard lesson that day,” he said.

He said in today’s world, it is critical to have security in layers. “There will always be some people who ‘fall for it’.  Even the most paranoid employees can make mistakes or be tricked,” Abaya said. When an organization always assumes the first line of defense will be broken, creating the second and third layers of defensive controls will buy them some time to stop the attack.

What happens if the company is successful in stopping the pen tester or social engineer. Does that mean the organization is total secure?

“Does stopping a bullet mean you can stop a bazooka? In general, it is close to impossible for an organization to be perfectly immune to an attack. If an adversary wants to target you and is patient and competent, and they have a big enough gun, then they will probably eventually find a way in,” he said.

Stopping a penetration tester that you hired for a day when your ‘hacker’ adversary has been targeting you say for weeks or months and an unlimited budget will not yield a meaningful comparison, he added. However, if a majority of your adversaries are only going to spend at most a day targeting you, then being able to stop an experienced, qualified, and trained pen tester for a day’s worth of work probably means you can stop a majority of these types of attackers.

He said organizations that have been targeted by well-funded Nation States never stand much of a chance. “Knowing your most likely adversaries is very important and designing a penetration test to simulate the majority of your adversaries would be key to a successful comparison.”

Keeping an eye on the dark web

Joseph A. Juchniewicz has more than 24 years of experience in the IT field. Part of his job description as a senior consultant at Accudata has been to see what is going on in the dark web. He has retrieved information, gotten code, and used some of “my sock puppets to give other sock puppets a higher standing in the ranks.”

He holds degrees in criminology and criminal justice and was one for the founding members of the EC Council’s Scheme Committee and currently holds the vice chair position. He also holds several certifications.

The 49-year-old has always been a white hat. He was trained in the Department of Defense world at Lockheed Martin, and “would go after the ones who were causing trouble.”

His past jobs found him working on several cases involving people using their computers to run a pornography server as well as treason cases. In a couple of the cases, the porn was child porn – which meant bringing in the FBI and working with them to find who was running it, as well as who was looking at it.

However, the issue was that a very powerful server, which had internet access (and had several large hard drives and memory) would have its utilization go through the roof at different hours throughout the day and night. “We started to review the logs to see what was going on when we found multiple hidden partitions. We also found a hidden web portal that allowed access to those partitions, and found a pay-for-porn site on a government machine.”

At that time they had to get the FBI involved. All person(s) who had accounts were tracked and monitored, and warrants were issued for their arrest. As for the employee who was running it, he was just trying to make extra money. Well, it cost him his job and a 15-year prison sentence.

“When I worked for the government, we had several cases where people tried to steal secret information and send it across to other countries. Sorry I can’t really get into too many details, since it was working with the government and how they conduct some of their surveillance,” he said. “Working with the FBI is very intense, they are very professional and the computer team members are meticulous.”

Juchniewicz does vulnerability assessments, pentesting, social engineering, virus/malware assistance, process procedure review, tool review, firewall review, investigations, and forensics for Accudata clients. 

He said there is not much companies can do to keep him out of their network. “I have a high success rate, but it all comes down to training and education. The more info the employees know, the better they can stop this kind of issue.”

Head to Facebook to comment on this story.