Expand / Collapse search

Investigators: Cyber-security flaw sleuths, keeping businesses safe

Published  February 8, 2017 5:50pm CST
News
FOX 9 Minneapolis-St. Paul

(KMSP) - In our hyper-connected world, every office and home is a potential target for a cyber-attack. Recently, the Fox 9 Investigators followed professional hackers. Their mission is to help companies discover weaknesses before the bad guys find them.

They're called the Red Team. They're hackers for hire, and they're paid handsomely to expose security flaws.

Their clients include the likes of utility companies and financial institutions.

In an effort to learn more about these cyber-protectors the Fox 9 Investigators tagged along on one of their secret missions.

The target is Service Quality Institute in Bloomington, Minnesota a business with clients around the world.

Owner John Tschohl gave the Red Team the green light to do whatever it takes to try and hack their way into his company's computers.

"It’s a learning device and I'm more of a risk taker and I'm willing to do stuff and learn,” Tschohl said.

His employees knew nothing about the pending attacks.

PHISHING FOR VUNERABLITIES

The mission began by firing off emails, appearing to come from Tschohl's company email, to staff while he was out of the country.

The message told workers they're going to be contacted by a vendor who is making security updates to their computers.

The emails came from Ryan Manship, one of Red Team's social engineers, who has a flare for fooling people into doing things.

He follows up the bogus emails with a phone call. All in an effort to fool the staff into giving up their user names and passwords.

At first, no one fell for it.

Then another email went out. 

It looked like a message sent by the employees themselves that was returned.

All it took was for one person to click on the "view messages" box.

Once they clicked on the link, the Red Team could do several different things, like install malicious software to gain access to sensitive information.

This time, curiosity got the best of three different employees.

The trick emails, or phishing as it’s called, are a major form of cyber-attacks.  A lot of companies now test their employees to see they can recognize the threats.

Last year, researchers found 30 percent of phishing messages were opened by the people being tested. That's a seven percent increase from the year before, reaffirming that human beings are the weakest link in cyber security.

FRONT-DOOR WEAKNESS

The Red Team also explored another weakness at the Bloomington company.

Manship attempted to install a secret mini-computer inside SQI’s headquarters, which would give him remote access to the company's network.                                                                                                                                                                                                                                                                                                                                                   Manship entered the business posing as a technician from an internet service provider.

"We're supposed to do some sort of assessment to make sure things are working right," Manship told the front desk employee.

No one asked for identification. No one checked with the ISP to verify it was a legitimate service call.

An employee even gave Manship a ladder to access the company's internet router high up on a shelf.

But there was a glitch trying to install the snooping device in this location. So he asked if he could take a look at the company's server which linked all of the computers in the building.

He still had trouble setting up the secret device so he left before the staff would start asking why the service call was taking so long.

Try number two, came a couple of weeks later.

Red Team's Steve Kaun, a former paratrooper, who goes by "Ghost", showed up posing as another technician.

"I'm actually here to close out a work order," he told the staff.

He was not asked to show ID either and was given free access to the server and installed that miniature computer.

The Red Team got remote access to snoop. They could look at any computer in the building.

"I could look at, control, manipulate, do anything I wanted with the entire network," Kaun said.

SURPRISE FINDINGS

John Tschohl learned there's a huge gap in his company's security.

His staff needed to be more discerning of visitors and emails, but the most serious problem the Red Team discovered is something Tschohl never suspected.

"The impact of the vulnerability allowed us to carry out a more devastating attack," said Jeremiah Talamantes, from Red Team Security.

The first thing Red Team did was remotely hack into the office printer.

They discovered no one had set up new credentials when it was installed.

Kaun was able to access the printer's memory by using the commonly known default settings that came with it from the factory.

Once inside they found reams of sensitive data, access to everything including the company’s financial information.

The hack also revealed passwords to every computer on the network.

"Something like, say the name of a country followed by like 92 something,” Manship told Tschohl.

"Oh my God, that's my password to get on to my lap top," replied Tschohl

Tschohl believes this experiment has made his company more secure.

"I could see how you could do this for almost any company and they'll just swallow it hook, line, and sinker," he said.

Simple things, like changing the sign-in credentials on a printer, or using more complex passwords for our devices, can really make a difference.