Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[BruCON] Top 5 ways to destroy a company

Top 5 ways to destroy a company (Chris Nickerson)

No one cares about your findings. We work all day and the ignore your reports!

Well why does that happen?

  • What we give them isn’t important. Managers don’t care about shells!
  • They don’t care about what we care about!

What do they care about?

  • The product line
  • The brand
  • The employees
  • The bottom line

What do you know about the company’s product line? If you didn’t research it, then why not! Don’t you think you should care about what the company cares about.

How do you figure out whats important

  • Step 1: Your opinion doesn’t matter (unless you’re one of the execs that really are in the know)
  • Step 2: Think like them. You need to translate your speech to something they understand.
  • Step 3: Do work.. not on shells, on process, models, information

If you get paid to just go in and hack fuck somebody, then you’re a prostitute.

What kind of stuff are you looking for?

  • Secret
  • Confidential
  • Internal Use Only
  • Public

Going for the secret stuff is great, but what if the Confidential stuff gives you access to the secret stuff? what if the public stuff should be secret?

The business understand CIA (Confidentiality, Integrity, Availability)… all of these factors link into criticality. If you don’t do this, you’re a bad tester!

Customer needs to give you information on what assets exist, the risks, and therefore how critical it is to a company.

Sometimes you’re wrong… email isn’t the most important thing in your company!

You only have a limited time to test, you don’t have an unlimited time to test like blackhats do!

Top 5 ways to destroy a company

  • Tarnish the brand
  • Alter the product
  • Attack the employees
  • Effect financials directly
  • ** Your turn! **

Tarnish the brand (How to do it)

  • Understand the brand
  • Identify key words to market
  • Knowledge of the competitor advantage/disadvantage
  • Intelligence profiles on the “keepers of the brand”
    • Face of the brand
    • Executives
    • Key personnel
    • Entire marketing/design team
  • Reverse engineering the “go to market”
  • Take over the “indicators of quality”
    • False issues (product misdirection)
    • Negative reviews
    • Use by non standard customers
    • False company response

Alter the product (How to do it)

  • Compare listing of products/services depending on the organization
  • Chain of command for product development or service integrity
  • Historical review of the products timeline

Attack the product (How to do it)

Company specific!

  • Software companies
    • Create bugs
    • Make backdoor (then tell the media)
    • Cause errors in function
    • Add hidden features!
    • Divert their code to your servers….
  • Hospitals
    • Change patient diagnosis
    • Attack HVAC and crank the heat
    • Disable critical alerts
    • Attack crash carts to disable on the fly care
    • Attack narcotic dispensing stations
    • Alter patient doses
  • Manufacturing plants
    • Alter the product line (make something different)
    • Change design specs
    • Speed up the line… overflow
    • Slow down the line… underflow (deadlines)
    • Add or remove the product features
    • Decrease quality
    • Break shit.. a lot

Attack the employees (How to do it)

  • Profile who they are (Nessus doesn’t tell you that!)
  • Find out where they live
  • Figure out what “dangers” they might have at the office
  • Figure out there daily routine then make a kidnapping profile
  • Use the company against them
    • Food?
    • Manufacturing equipment?
    • General Terrorism
    • Release the horde?
  • Kill their benefits
  • Reduce their pay
  • Change their accounts (amex DOS)

If you affect their employees, you affect their money!

Directly affect the bottom line (What you will need)

  • Understand how they really make their $$$
  • Identify systems that generate income
  • Do they take credit cards?
  • Do they have cash?

No you know, go and take the money.

SQLi I can see your tables == Ineffective

SQLi I can see your tables to I made a new account and transferred all your money to == OMG!

What can we take away from this

  • Shell doesn’t do anything
  • Speak their language
  • Remove the white/black hat and do the work!
  • Stop trying trying to rationalize why you are right… and change the game!

We are not communication business impact… we are the ones that are ruining the world! It’s on us to fix it.


%d bloggers like this: