Every large information security firm in the market offers physical pentesting, and most large in-house security teams do semi-regular physical pentesting. I was hoping this would be a story about the complications of doing physical pentesting on sites where the use of deadly force is authorized, but instead it's an article of the type you'd have expected to read in the late 1990s, when this stuff was exotic.
Amusingly, we did this at the Army Reconnaissance Course. I was in one of the last courses still based out of Fort Knox before the Armor School relocated to Benning and our capstone field event was basically a survivor pool where we split into teams starting at the perimeter of the installation and gradually move inward surveilling all of the facilities while the school staff tries to find us. Whoever is the last to get caught wins.
The MPs and US Mint Police were, of course, told we were doing this so they wouldn't shoot us. I do recall an incident from a bit more than a decade back, I think at Fort Bragg, where a soldier going through the special forces Q Course was shot by a police officer.
I remember reading about that last. I believe that was a case where the Army runs the course in an area where local law enforcement and citizens role-play nationals of a fake foreign country, and the guy tried to bribe an LEO with fake "money" as if he was in character as a third-world cop. But the LEO wasn't part of the exercise, tried to arrest the guy, who resisted because he thought it was in-character, and things escalated from there.
Years ago I was one of those grumpy-looking guys with a rifle standing next to those "USE OF DEADLY FORCE AUTHORIZED" signs, or directed the responses of said grumpy-looking guys.
This is all anecdotal and will vary wildly by org and era. So if you were to compare, say, a NATO WSA during the Cold War against a modern colocation facility that occasionally trots out crew-served weapons for marketing photoshoots...while both are secure facilities featuring some degree of lethal response capability, these will have very different liability profiles and rules of engagement. But in both cases there will need to be procedures in place for evaluating on-duty armed guards in a manner that doesn't get anyone hurt.
For routine training during shifts, a training exercise is openly declared. This can be done ahead of time, or an evaluator may do so by surprise - it all depends on what procedures and scenarios are being evaluated. Once the evaluator/actor is detected or challenged by guards (or some other threshold is passed during a scenario), an exercise is declared out loud. Normally, this will happen before anyone in that scenario might reasonably need to use force.
Upon exercise declaration this is accompanied by a quick "safety briefing" over the radio to response forces with routine reminders on what to do if an unsafe act occurs, so guard forces know to appropriately pretend (shout "bang", blink flashlight, etc) instead of actually firing upon intruders. There's a degree of make-believe roleplay once the exercise is active, since discharging duty weapons in real life comes with mountains of paperwork that I don't want to think about even decades later. Of course, less harmful forms of force may still be permissible (and expected!), such as various restraint techniques or handcuffing/zip-tying resistant bad guys.
For any competent org, this sort of training happens constantly and with enough variation to keep everyone on their toes. The role of "bad guy" is rotated between different guards, so everyone has a chance to attempt breaking in to various restricted areas and enjoy tasting the various flavors of pavement around base as we tackle each other. An exercise of one type can snowball into another, if I manage to catch some unsuspecting lazy troop unawares and "kill" them (usually with a "Surprise! This is an exercise, you're dead, do not answer your radio."), then while they're tagged out (and chewed on by their sergeants about situational awareness), a quick response force is scrambled from available troops on shift to stop us. By this point everyone on shift will know the situation has escalated from a failed pentest into a nasty wargame and should act accordingly.
Bear in mind that these sorts of live exercises are meant to evaluate procedures and test readiness in situ - the forces involved may suddenly be interrupted by real-world duties and time constraints. Live force-on-force training conducted with blanks, MILES gear, airsoft or whatever less-lethal weapons they have these days would be during designated training time and not on shift.
> He prefers his own “escalatory approach”, working through a system via an administrator’s access and searching for a “confluence”, a collection of information shared in one place, such as a workplace intranet.
Was this a mistaken transcription for Confluence, the Atlassian app?
It sounds like the journalist didn't know what Confluence is and thought it was a term of art for any generic intranet.
edit: to those saying the word makes sense without referring to the Atlassian product, I'm not buying it. The journalist put it in quote marks, which to me suggests he thought it was a term of art — if he instead meant it metaphorically, I don't think he would have phrased it like that. It's also just an odd word to use to describe the idea.
The dictionary meaning of "confluence", namely an aggregation or coming together of disparate sources of stuff (information, in this case) into a single place, makes perfect sense here. And searching for places that lots of information gathers seems like a sensible approach to me. The fact that one product happens to have the same name didn't even cross my mind.
Confluence literally means the junction of two rivers, genericized it's where two or more things join or occur together ("a confluence of events"), so it could be either. But naming Confluence (the web application) is very specific, not everyone uses it.
Confluence, n.: a collection of semirandom characters emitted by employees trying to look busy, interned in a series of secure silos, with stringent access controls, to hide the evidence.
This is what happens when people 'sanitize' their writing with an AI. It doesn't often understand trademarks or context, so we get stuff like this.
I imagine the real human written sentence was "Trying to get admin access via a Confluence exploit," which there are many and an app that IT groups take their time updating.
As I wrote in the sibling comment to yours, it really could go either way. A confluence, a place where you find a lot of information like an intranet shared drive, is a reasonable interpretation without the original quote in place. But so is Confluence the application as an example of a confluence which also exists on an intranet, and the writer misunderstood and (being a writer) used their familiarity with English to infer more than was said.
We don't need AI for either interpretation, just familiarity with English.
Ok, so, assuming these facilities are indeed "top secret bases" that have armed security, military or otherwise, how do red teamers not get shot? Do they get right up to but not complete the intrusion? Do they inform security of the intrusion attempt and, if so, how do they defend against the hilarious possibility of actual baddies working at the same time?
These questions might have obvious answers. This isn't my line of work. I'm honestly interested in how they accommodate the need to (a) not kill the vendor and (b) still protect the facility.
What is terrifying is the US 'justice' system. It is set up to get people locked up, whoever the Sheriff wants locked up. What a tragic story about a supposedly civilised country.
Interesting but it ended so.. abruptly! I was hoping for a LOT more. I think if you're interested in this subject area you must get a copy of Ghost In The Wires, and The Art of Intrusion by Kevin Mitnick.
A more accurate modern depiction would probably be incredibly boring, at least the actual physical part, because it's mostly people tailgating, walking into the nearest empty office, and plugging a small box into the network port.
Is this an ad for Leonardo? 'Greg would only speak to BBC under a pseudonym'...really?
There are many professional, military-or-adjacent red team folks who'd gladly speak to BBC with real names and credentials...
This would actually be somewhat smart. MI6 could "private label" their pentesting. Their agents get free (actually negative cost) real-world training. You can pick the client list to include both local industries that you would prefer be secure, and potential adversaries that you can infiltrate for "free".
That'd be an interesting job interview technique, albeit probably not a good technique: prospective clients are refused at the door and have to finagle their way into the conference room.
I wouldn't underestimate how much of the British establishment is in some way connected to the SIS. there's a reason the Post Office wasn't sold off with Royal Mail
Given they're supposed to show up at top-secret bases and find a way in, they probably don't want their real names and photos to be a Google search away for blue teams to recognize on sight.
Annoying that the article is more focused on "there's people that get paid to break into things" more so than "these are the complexities of breaking into a base".
Physical pentesting or red teaming isn't anything new
Hmm, feels like the article could have been so much longer.. it's a pretty cool topic. Sadly, all the 1-or-2-sentence paragraphs makes it feel like a Goosebumps novel or something. Really awkward presentation.
How does one get into the physical security space? I can pick a lock, climb a ladder, jump a gap, and lie to authorities.. I would love to do this for a job.
There is probably an elite practitioner space for this managed and staffed by people with a career focus in cat burglary or whatever, but for the most part if you want to do physical pentesting the straightforward career path in is to become an information security consultant --- which will mean sharpening up your non-physical skills, because most of the demand is non-physical.
Its probably not even that sexy just waiting for someone to hold the door behind them. At my workplace we are told in our HR material not to hold doors open for anyone but guess what everyone does...
This what security people refer to as "tailgating" and at one office, our security people were trained to spot this. I tried several times when I had lost my ID and got yelled at and had to get a visitor pass for the day.
Another very large tech company the security people DGAF about anything. You could forget your ID, tailgate someone, no problem. I started doing this to see how often I could do it, even when I had my ID. Security never stopped me, but when one of the C-suite folks did a badge scan, my manager got an earful wondering why I was never in the office. Which then resulted in a lengthy meeting with my manger, his director and another director. Imagine their surprise when they found out I was pseudo pen testing their security systems and pointed out that the security firm the company had hired was doing a horrible job. They obviously were not impressed and told me to stop doing it.
I also read a recent version where a team were doing this on purpose to get a person's ID scanned with some kind of a NFC scanner. Of course they would get kicked out for not having an ID or an appointment, but it didn't matter. They already had gotted several different employee ID's they could duplicate and use. They even managed to get some guy pretty high up who had an encrypted RFID ID card and managed to crack the encryption which allowed them to get into all kinds of restricted areas.
The comment I replied to said decay/interactions. Full control rod insertion stops all interactions, reducing the output power of the reactor by over 90% within typically two to five seconds, and only downhill from there.
You're right that the existing fuel continues to decay (and this produces some heat, which is why you need an operational reactor cooling system even if you've shut it down, in order to prevent a meltdown), but it doesn't produce enough heat to meaningfully produce any power (via a steam turbine), and thus it could be argued that you have successfully stopped the core of the reactor from doing its job faster than you can pick a lock.
Off hand I imagine red-teaming a nuclear power station wouldn't actually go this far; victory would end at demonstrating merely that you could have (e.g. by being in a position and possessing the requisite equipment to compromise a temperature or flow sensor in the cooling system, leading the reactor controller to conclude that the cooling system has failed, triggering an emergency SCRAM).
At a European hacker con we had the custom of keeping crew badges in the first room to be occupied by us and our security. To get your crew badge, you had to get into that room without authorization.
Everyone worthy of being called "crew" did succeed.
Every large information security firm in the market offers physical pentesting, and most large in-house security teams do semi-regular physical pentesting. I was hoping this would be a story about the complications of doing physical pentesting on sites where the use of deadly force is authorized, but instead it's an article of the type you'd have expected to read in the late 1990s, when this stuff was exotic.
Must be a slow news day. I head this for a firm, and half expected this to be a piece on some good war stories.
Amusingly, we did this at the Army Reconnaissance Course. I was in one of the last courses still based out of Fort Knox before the Armor School relocated to Benning and our capstone field event was basically a survivor pool where we split into teams starting at the perimeter of the installation and gradually move inward surveilling all of the facilities while the school staff tries to find us. Whoever is the last to get caught wins.
The MPs and US Mint Police were, of course, told we were doing this so they wouldn't shoot us. I do recall an incident from a bit more than a decade back, I think at Fort Bragg, where a soldier going through the special forces Q Course was shot by a police officer.
I remember reading about that last. I believe that was a case where the Army runs the course in an area where local law enforcement and citizens role-play nationals of a fake foreign country, and the guy tried to bribe an LEO with fake "money" as if he was in character as a third-world cop. But the LEO wasn't part of the exercise, tried to arrest the guy, who resisted because he thought it was in-character, and things escalated from there.
Years ago I was one of those grumpy-looking guys with a rifle standing next to those "USE OF DEADLY FORCE AUTHORIZED" signs, or directed the responses of said grumpy-looking guys.
This is all anecdotal and will vary wildly by org and era. So if you were to compare, say, a NATO WSA during the Cold War against a modern colocation facility that occasionally trots out crew-served weapons for marketing photoshoots...while both are secure facilities featuring some degree of lethal response capability, these will have very different liability profiles and rules of engagement. But in both cases there will need to be procedures in place for evaluating on-duty armed guards in a manner that doesn't get anyone hurt.
For routine training during shifts, a training exercise is openly declared. This can be done ahead of time, or an evaluator may do so by surprise - it all depends on what procedures and scenarios are being evaluated. Once the evaluator/actor is detected or challenged by guards (or some other threshold is passed during a scenario), an exercise is declared out loud. Normally, this will happen before anyone in that scenario might reasonably need to use force.
Upon exercise declaration this is accompanied by a quick "safety briefing" over the radio to response forces with routine reminders on what to do if an unsafe act occurs, so guard forces know to appropriately pretend (shout "bang", blink flashlight, etc) instead of actually firing upon intruders. There's a degree of make-believe roleplay once the exercise is active, since discharging duty weapons in real life comes with mountains of paperwork that I don't want to think about even decades later. Of course, less harmful forms of force may still be permissible (and expected!), such as various restraint techniques or handcuffing/zip-tying resistant bad guys.
For any competent org, this sort of training happens constantly and with enough variation to keep everyone on their toes. The role of "bad guy" is rotated between different guards, so everyone has a chance to attempt breaking in to various restricted areas and enjoy tasting the various flavors of pavement around base as we tackle each other. An exercise of one type can snowball into another, if I manage to catch some unsuspecting lazy troop unawares and "kill" them (usually with a "Surprise! This is an exercise, you're dead, do not answer your radio."), then while they're tagged out (and chewed on by their sergeants about situational awareness), a quick response force is scrambled from available troops on shift to stop us. By this point everyone on shift will know the situation has escalated from a failed pentest into a nasty wargame and should act accordingly.
Bear in mind that these sorts of live exercises are meant to evaluate procedures and test readiness in situ - the forces involved may suddenly be interrupted by real-world duties and time constraints. Live force-on-force training conducted with blanks, MILES gear, airsoft or whatever less-lethal weapons they have these days would be during designated training time and not on shift.
> He prefers his own “escalatory approach”, working through a system via an administrator’s access and searching for a “confluence”, a collection of information shared in one place, such as a workplace intranet.
Was this a mistaken transcription for Confluence, the Atlassian app?
It sounds like the journalist didn't know what Confluence is and thought it was a term of art for any generic intranet.
edit: to those saying the word makes sense without referring to the Atlassian product, I'm not buying it. The journalist put it in quote marks, which to me suggests he thought it was a term of art — if he instead meant it metaphorically, I don't think he would have phrased it like that. It's also just an odd word to use to describe the idea.
This would be a fun SAT question: Wordpress is to blog as Conflunce is to __intranet__
The dictionary meaning of "confluence", namely an aggregation or coming together of disparate sources of stuff (information, in this case) into a single place, makes perfect sense here. And searching for places that lots of information gathers seems like a sensible approach to me. The fact that one product happens to have the same name didn't even cross my mind.
Confluence literally means the junction of two rivers, genericized it's where two or more things join or occur together ("a confluence of events"), so it could be either. But naming Confluence (the web application) is very specific, not everyone uses it.
To "conflate" is when two or more things are merged into one.
In tech we usually assume "confluence" means the Atlassian product, not "a merging of several items".
Confluence, n.: a collection of semirandom characters emitted by employees trying to look busy, interned in a series of secure silos, with stringent access controls, to hide the evidence.
This is what happens when people 'sanitize' their writing with an AI. It doesn't often understand trademarks or context, so we get stuff like this.
I imagine the real human written sentence was "Trying to get admin access via a Confluence exploit," which there are many and an app that IT groups take their time updating.
As I wrote in the sibling comment to yours, it really could go either way. A confluence, a place where you find a lot of information like an intranet shared drive, is a reasonable interpretation without the original quote in place. But so is Confluence the application as an example of a confluence which also exists on an intranet, and the writer misunderstood and (being a writer) used their familiarity with English to infer more than was said.
We don't need AI for either interpretation, just familiarity with English.
Ok, so, assuming these facilities are indeed "top secret bases" that have armed security, military or otherwise, how do red teamers not get shot? Do they get right up to but not complete the intrusion? Do they inform security of the intrusion attempt and, if so, how do they defend against the hilarious possibility of actual baddies working at the same time?
These questions might have obvious answers. This isn't my line of work. I'm honestly interested in how they accommodate the need to (a) not kill the vendor and (b) still protect the facility.
in the last section of the article it says that they have a guy on the inside who gives the order not to shoot
Ah, thank you. Hurricane-addled mind missed that.
In the US we just outsource the job to nuns: https://en.m.wikipedia.org/wiki/Megan_Rice
The Darknet Diaries podcast features a lot of fascinating first-hand accounts of penetration testers breaking into places.
One of my favourite episodes is the account of two people breaking into a US courthouse[1], it's both exhilarating and terrifying.
[1] https://darknetdiaries.com/transcript/59/
What is terrifying is the US 'justice' system. It is set up to get people locked up, whoever the Sheriff wants locked up. What a tragic story about a supposedly civilised country.
Yes, that's the part I found terrifying too. I'm reluctant to extrapolate that experience to the whole country, but it's certainly concerning.
Interesting but it ended so.. abruptly! I was hoping for a LOT more. I think if you're interested in this subject area you must get a copy of Ghost In The Wires, and The Art of Intrusion by Kevin Mitnick.
It would be fun to read a detailed writeup for just one successful infiltration. All the small details, step by step.
Anyone have any movie recommendations for a more modern version of Sneakers (great movie)?
A more accurate modern depiction would probably be incredibly boring, at least the actual physical part, because it's mostly people tailgating, walking into the nearest empty office, and plugging a small box into the network port.
Is this an ad for Leonardo? 'Greg would only speak to BBC under a pseudonym'...really? There are many professional, military-or-adjacent red team folks who'd gladly speak to BBC with real names and credentials...
The irrational conspiracy part of my brain thinks Greg is probably undercover MI6.
This would actually be somewhat smart. MI6 could "private label" their pentesting. Their agents get free (actually negative cost) real-world training. You can pick the client list to include both local industries that you would prefer be secure, and potential adversaries that you can infiltrate for "free".
Best covert is overt.
He's a triple agent in his spare time.
He breaks into his office and writes himself up for his own poor security.
That'd be an interesting job interview technique, albeit probably not a good technique: prospective clients are refused at the door and have to finagle their way into the conference room.
I wouldn't underestimate how much of the British establishment is in some way connected to the SIS. there's a reason the Post Office wasn't sold off with Royal Mail
Given they're supposed to show up at top-secret bases and find a way in, they probably don't want their real names and photos to be a Google search away for blue teams to recognize on sight.
Annoying that the article is more focused on "there's people that get paid to break into things" more so than "these are the complexities of breaking into a base".
Physical pentesting or red teaming isn't anything new
Hmm, feels like the article could have been so much longer.. it's a pretty cool topic. Sadly, all the 1-or-2-sentence paragraphs makes it feel like a Goosebumps novel or something. Really awkward presentation.
How does one get into the physical security space? I can pick a lock, climb a ladder, jump a gap, and lie to authorities.. I would love to do this for a job.
There is probably an elite practitioner space for this managed and staffed by people with a career focus in cat burglary or whatever, but for the most part if you want to do physical pentesting the straightforward career path in is to become an information security consultant --- which will mean sharpening up your non-physical skills, because most of the demand is non-physical.
Its probably not even that sexy just waiting for someone to hold the door behind them. At my workplace we are told in our HR material not to hold doors open for anyone but guess what everyone does...
This what security people refer to as "tailgating" and at one office, our security people were trained to spot this. I tried several times when I had lost my ID and got yelled at and had to get a visitor pass for the day.
Another very large tech company the security people DGAF about anything. You could forget your ID, tailgate someone, no problem. I started doing this to see how often I could do it, even when I had my ID. Security never stopped me, but when one of the C-suite folks did a badge scan, my manager got an earful wondering why I was never in the office. Which then resulted in a lengthy meeting with my manger, his director and another director. Imagine their surprise when they found out I was pseudo pen testing their security systems and pointed out that the security firm the company had hired was doing a horrible job. They obviously were not impressed and told me to stop doing it.
I also read a recent version where a team were doing this on purpose to get a person's ID scanned with some kind of a NFC scanner. Of course they would get kicked out for not having an ID or an appointment, but it didn't matter. They already had gotted several different employee ID's they could duplicate and use. They even managed to get some guy pretty high up who had an encrypted RFID ID card and managed to crack the encryption which allowed them to get into all kinds of restricted areas.
> The objective might be to stop a process from working, such as the core of a nuclear power plant.
This sounds quite difficult, if not impossible :)
Depends on how you define stop working I guess? An E-Stop would count in some definitions.
It's probably quite easy...
I think poster was commenting that humans lack the ability to stop radioactive decay/interactions. Not the power plant.
We do readily have the ability to insert all of the control rods at once, which achieves just that.
That limits more reactions from occurring. The uranium is still decaying
The comment I replied to said decay/interactions. Full control rod insertion stops all interactions, reducing the output power of the reactor by over 90% within typically two to five seconds, and only downhill from there.
You're right that the existing fuel continues to decay (and this produces some heat, which is why you need an operational reactor cooling system even if you've shut it down, in order to prevent a meltdown), but it doesn't produce enough heat to meaningfully produce any power (via a steam turbine), and thus it could be argued that you have successfully stopped the core of the reactor from doing its job faster than you can pick a lock.
Off hand I imagine red-teaming a nuclear power station wouldn't actually go this far; victory would end at demonstrating merely that you could have (e.g. by being in a position and possessing the requisite equipment to compromise a temperature or flow sensor in the cooling system, leading the reactor controller to conclude that the cooling system has failed, triggering an emergency SCRAM).
Still it's interesting to think about.
It looks like they target firms/premises without a centralized biometric access.
FreakyClown (ethical hacker) has a recent book on this subject
How I rob banks
https://www.amazon.com/How-Rob-Banks-Other-Places/dp/1119911...
Uh. So what?
At a European hacker con we had the custom of keeping crew badges in the first room to be occupied by us and our security. To get your crew badge, you had to get into that room without authorization.
Everyone worthy of being called "crew" did succeed.
Yes, these are called red teams and this has been a thing for decades.
Why is this relevant to Hacker News?
well, for one, it's conducive to an interesting discussion