The growing danger of targeted fake news, disinformation, and mal-information attacks against businesses

 

What is Disinformation, Mal-information and Fake News?

 

Disinformation could be described as modern-day propaganda, manufactured tactical reality or a tool of economic war used to weaponize information.

Disinformation is manifested in various guises, with fake news frequently used as an umbrella term encompassing aspects of misinformation, disinformation and mal-information. It is used by state actors, criminals and groups with political and ideological agendas.

It often contains emotive content designed to prejudice public opinion and reduce critical thinking, relying on social media, celebrities and influencers to rapidly share and spread its content and with it, fear and uncertainty.

Fake news is a description most people have been familiar with since Donald Trump became the US president. It is often used dismissively to describe or expose a story as being untrue, whether it is or not.

Misinformation is false information, often disseminated by people who do not realise it is inaccurate and have no sinister agenda or malicious intent.

Disinformation is distorted, used in the wrong context or completely false information created and shared deliberately for entertainment, satire, or to cause a deliberately disadvantageous outcome to a person, business, group or demographic. Examples can range in severity from authoritarian governments seeking to influence their population and disrupt events overseas to fraudsters selling fake medical remedies.

Mal-information adds a more malicious and sometimes illegal context and aims to cause severe damage to the entity being targeted. The information shared can be disinformation or may be genuine but acquired through dubious practice, such as the case of Hilary Clintons leaked emails, it is often exposed at a time pertinent to cause as much damage as possible.

Mal-information is often associated with the repercussions of Doxxing or Swatting which can be explored in more detail here.

The History of Disinformation

Disinformation campaigns have been used throughout history especially as a method of warfare, a famous example is Operation Mincemeat.

This was a deception operation planned by the British government to provide the Nazis the false information that an allied invasion was going to take place against Greece and Sardinia. This manipulated the Nazis to move their troops, enabling the allies to attack the real target of Sicily.

The operation involved the use of a body dressed to look like a crashed pilot who was carrying classified documents detailing the attack. The body was planted to wash up in Spain as the Spanish government were known to share information with Nazi intelligence. The operation was a success and is thought to have contributed to a change in the course of the war.

Targeted Disinformation in the Corporate Sector

In the same way that social engineering is used to gain advantage, usually via manipulation of employees, disinformation seeks to manipulate the public, end customer or shareholder to the detriment of the business.

For instance, the conspiracy theory that radiation from 5G causes a range of illnesses from Cancer to Covid has resulted in disruption to services, extreme vandalism and attacks against telecommunications workers.

Another example was the sudden influx of subscribers to the video communications app Houseparty as lockdown commenced. Within weeks this changed to a mass frenzy of users deleting their accounts as reports emerged on twitter from people stating that their Netflix, PayPal, and Spotify accounts had being hacked since downloading the app. Subsequent investigation found that many of the twitter accounts spreading the reports were fake accounts, but the damage had been done.

State level disinformation campaigns are notoriously used by Russia, honed through years of internal political interference which has progressed to manipulate overseas elections as seen in the 2016 US election. Disinformation is typically disseminated through fake accounts on forums, and social media on an industrial level known as farming. Stories are quickly propagated by super spreaders resulting in a harmful sway of opinion. It is also known for influencers with thousands of followers to be paid to share news, memes, reports and comments.

Why is this a Danger to Businesses?

Disinformation campaigns have never been easier to launch and can now be purchased online, through disinformation service providers, disinformation-as-a-service (DaaS) is a cheap way to target competitors with very little risk of detection. DaaS can be used to rapidly instigate major reputational damage, resulting in lost contracts and business relationships. Another common threat often seen is from short sellers who aim to lower share prices. Businesses in all sectors are at risk from DaaS attacks.

The methods used include false news about executives and their family life, false information about deals and data sharing, images used in the wrong context, damaging investment rumours, untrue news stories and the use of cheapfakes and deepfakes.

Deepfakes are images, audio or video content which has been altered through the application of artificial intelligence (AI). A project to demonstrate how convincing deepfakes are, can be seen in a video where Barak Obama used defamatory language to describe Donald Trump. Cheapfakes require less technological input. A speech which surfaced showing the Speaker of the US House of Representatives, Nancy Pelosi, appearing to slur her speech, sparking rumours that she was drunk or unwell was simply created by slowing down her voice. AI created influencers are even starting to gain popularity on platforms such as Instagram, with a modelling agency existing for digital models who endorse brands and appear at fashion shows.

Another emerging threat is the use of deepfakes by criminals to imitate company executives by phone or video call, requesting employees to transfer large sums of money or divulge sensitive information to a supplier or associate. This type of scam relies on the same principles as social engineering, using authority, urgency and social proof to evade the targets critical thinking and perform an action which results in a catastrophe to the business.

What can be done by Businesses to Prevent Disinformation and Mal-information Attacks?

Our top tips to prevent and control economic attacks are:

Monitor – effective monitoring of both your business and industry via social media, and forums will identify chatter and content before it becomes mainstream. Tools can be used to identify content in different languages across numerous platforms on both the dark and surface web, providing the ability to get ahead of a growing story.

Create an effective response plan – address fake news by evaluating the likely threat actors in advance, the stakeholders they might target and their vectors of attack.  Rehearse every scenario and create response and brand protection plans accordingly, identifying responsibilities within the organisation. This will enable a timely response and will reduce the spread of the fake news.

Communications – be consistent, communicate technical and scientific news effectively and transparently. Maintain a voice across all social network platforms to quickly counteract disinformation. Have a plan to communicate directly with staff and stakeholders in a crisis.

For further advice and for a range of business threat and risk assessments, physical penetration testing, due diligence and corporate investigations please contact Sloane Risk Group.

www.sloaneriskgroup.co.uk

enquiries@sloaneriskgroup.co.uk

0203 897 22 72

71-75 Shelton St, Covent Garden, London, WC2H 9JQ

 

Women’s Safety and Security

 

As a result of the devastating news surrounding the murder of Sarah Everard, there is currently a national conversation regarding women’s safety. As a female led security consultancy, we would like to offer some of the top safety tips which we often recommend to our female clients.

In our opinion, the first rule of self-defence is to develop a strong sense of environmental situational awareness. Being able to understand and identify the risks of a situation and to react appropriately, is the best way to avoid becoming a victim or target of both environmental and criminal situations.

 

Raise Your Situational Awareness

We often walk around oblivious to our surroundings, this could be through a false sense of security because we know where we are, or due to distractions such as mobile phones.

It is vital to remain alert in public, know who is around and behind you, look ahead and premeditate where you would go if you were in danger. Don’t wear earphones, they will reduce your chance of noticing an approaching person or vehicle.

 

Manage Your Profile

By this, we mean realise how to blend in and not be identified as a potential target for theft or worse. Be mindful of how you show and carry expensive jewellery, handbags, watches and electronics. A woman should have the freedom to dress how she chooses; however, it is also important to realise that unfortunately there are people whose perception of you will be directly linked to the way that you are dressed which will impact their treatment of you. This is especially relevant when travelling. (more information can be found in our online lone female travellers course)

 

Look Strong and Confident

A potential harasser can be deterred by a projection of strength. Most criminals have a strong instinct for self-preservation, which has a direct impact on their selection or subsequent disregard of an intended target or victim. Project strength by walking with purpose, keeping your head up and shoulders back, standing straight and making eye contact.

 

Check In

When you go out, get into the habit of telling somebody where you are going, how you are getting there and when to expect you. This will become a routine and safe practice to follow.

 

Live Location

A great tool available to WhatsApp users is the use of the live location function. This is located within the addition menu (marked with a blue cross) you can select “live location” for a period of time, up to 8 hours which is very useful if you can arrange for a friend to monitor your journey or evening run.

 

Don’t Overshare

Be wary of disclosing your address or full name to strangers. When using social media, don’t post exactly where you are or where you are going, post after you have left and don’t post details of places that you visit regularly. Set your settings to approve posts that other people tag you in. Think, if you would not share details of your address, job, partner, children, parents, phone number or email with someone in a supermarket queue don’t do it online.

 

Have a Plan

If you are going out late, plan your travel home and stick to it. Stay with any friends that you have planned an evening with and check that each other get home safety. Consider taking trainers or flat shoes if your journey home involves walking or public transport. Don’t use unlicensed mini cabs and don’t be afraid to photograph the number plate of a taxi that you are travelling in before you board. If travelling by bus, stay downstairs in sight of the driver. In train carriages try and find a carriage with a conductor. Familiarise yourself with your mobile phones shortcut to 999, it is much harder to perform normal functions when you are under pressure.

 

Draw Attention

If you feel threatened react to your instincts, cross the road, go somewhere more public or call for help. Don’t be scared to draw attention to yourself.  A discussion between our staff has identified multiple occasions where females have avoided theft or physical harm by shouting and making a noise when confronted by a potential attacker. Be aware of what is known as the bystander effect; it has been proven that when many people can help, often no-one does. This is because everyone expects someone else to intervene. If you are attacked in a public place and people are watching; make eye contact and direct your plea for assistance “you, help me”

 

 

Self-Defence

Whilst it is common knowledge that carrying a weapon can have an adverse effect as apart from being illegal it can be used against you. Sadly, there are situations where self-defence might be the last available option. In the UK, carrying mace or pepper spray is against the law. However, if you are physically threatened you may take reasonable and proportionate measures to defend yourself. If you have an alternative option, such as a defence dye spray, use it. You can use any item that you are legitimately carrying for another purpose as a weapon if it is proportionate, i.e. the miniature bottle of hairspray or mosquito repellent that might be in your bag.  For these to be effective you have to have them ready to access, they are no good if you can’t locate them. Similarly attack alarms, these need to be easily accessible such as attached to the outside of your bag where you can easily pull a string or activate a button if needed.

 

 

 

If you would like more advice and exercises which teach you how to raise your awareness levels, identify if you are under surveillance, plan your travel safely and be more considerate of your approach to online security; visit our online training platform. Our current courses include:

Lone Female Traveller Security Awareness

Security Awareness for High-Net-Worth Nannies

Canine Surveillance Awareness & Protection for Dog Walkers

Women’s Safety and Security

 

 

 

www.sloaneriskgroup.co.uk

enquiries@sloaneriskgroup.co.uk

Doxxing, weaponising your data for revenge

 

 

 

What is Doxxing?

 

Doxxing or Doxing is an abbreviation of Documents or Docs. Doxxing is sharing a persons or a company’s private or identifying information, this is usually online but can also take a physical form such as graffiti or in newsprint.

 

Doxxing is a weapon which is used by people with a variety of intentions, from addressing social injustices to attacking someone with the aim of inciting physical harm against them. The information shared through doxxing is generally meant to expose, embarrass, extort or endanger the person being doxxed. This information can include phone numbers, email addresses, home addresses, photographs or any other identifying information which the victim of doxing would not voluntarily place in the public domain, or in the context used by the doxxer.

 

The main attraction of doxxing is to inflict a monumental level of pain or harassment against someone without leaving home or being easily detected as the perpetrator or instigator of the attack.

 

What are the origins of doxxing?

 

Doxxing was originally known as Dropping Docs and was initially a method used by hackers and gamers to take revenge against opponents. An early example involved the details of white supremacists being doxed on UseNet. It has evolved into a modern-day method of attack used by a range of people.  Anyone with access to an online platform such as Facebook or Twitter can publish information about someone else in a basic form of doxxing. Dedicated Doxxing sites hosted on both the surface and the dark web go a stage further and are designed as a platform for information to be revealed, shared and acted upon.

 

What do doxxers hope to achieve?

 

On dedicated doxxing platforms, the victim’s details are often published with a rough description of what they are accused of such as paedophilia, cheating, child or animal abuse in the hope that other people will subject them to harassment, ranging from using their details to sign up to junk mail services to physical abuse or even swatting attacks.

 

Swatting takes doxxing to another level, generally seen in America, this is a method of using the victim’s information to call a swat team claiming that an armed or hostage situation is underway. The aim is that the swat team causes severe distress or even shoots the person being doxxed.

 

Examples of doxxing include:

 

An instance in the late 90’s and early 2000’s where an anti-abortion campaigner published a list of abortion providers forming a hit list. People’s names were annotated if they had been hurt or killed. To date eight people from that list have been killed.

 

In 2013 a student was misidentified and doxxed on Reddit as a suspect of the Boston Marathon bombing. After a considerable amount of abuse, he was found dead. His death was ruled as a suicide, believed to be as a result of doxxing.

 

Over the last three years we have seen a steep rise in clients experiencing problems relating to doxxing. We have helped a client who after ending a relationship was doxxed by his previous partner. He was wrongly listed as a paedophile on a number of websites. Our investigation was able to produce evidence linking his former partner to the accounts sharing the information.  Another case involved the distribution of revenge porn against a teenage girl which was being widely shared via social media. The images were actually deepfakes, her Image had been superimposed on another person’s body, however this was deeply embarrassing for both her and her family. After some work we were able to identify the source of the images and eventually remove the content.

 

Is Doxxing Illegal?

 

Different countries have different laws regarding doxxing. At present in the UK there is not a law dedicated to doxxing however most cases will fall under the data protection act, the protection from harassment act or the computer misuse act. The problems generally lie with enforcing these legalities as most doxxers are very tech savvy and will hide behind several layers of protection and aliases.

 

Can doxxing be prevented?

 

People can protect themselves to an extent, we recommend the following:

 

  • Don’t overshare, this relates to social media. Consider your posts and comments and the consequences of them. Keep your accounts locked down and limit the information which you provide.
  • Do not make your phone number visible on social media sites, consider using a secondary disposable number for account set up.
  • Opt out of the open electoral register.
  • Use a virtual private network (VPN) to mask your computers IP address
  • Consider who you provide you address, phone number and email address to. Set up secondary email accounts for online shopping and services which request your delivery details. You can gain additional protection by arranging to pick deliveries up from collection points, this is recommended when using services such as eBay where subsequent disputes are common.
  • Only provide your home address when you really need to, don’t fill out surveys or prize giving questionnaires, most of that information eventually works its way into the public domain either through mailing list sales or data breaches.

 

 

Most importantly, audit yourself, check your own online identity by running your name and partial details trough a range of search engines. See what information about you is easy to find.

 

Alternatively, our online profiling service can save you the time and do this on your behalf. We will compile a report detailing what information about you or your business can be easily located, our experienced team can then execute a process to remove this information where possible.

 

For more information or to discover our other services including, physical penetration testing, surveillance, close protection, investigations and due diligence visit our website.

 

www.sloaneriskgroup.co.uk

Email – enquiries@sloaneriskgroup.co.uk

Phone – 0203 897 22 72

Counter-surveillance and security awareness training for dog owners, extreme or a necessary service?

Dog guards the house concept with door keyhole and portrait of looking Jack Rusell dog.  Pet dog stay at home and watch. Copy space.

One of the reactions of the pandemic is the uptake in pet ownership, with more time to enjoy country walks and a desire for companionship many people have added a new dog or puppy to their family. The negative impact of this is a surge in pet theft by organised criminals who target dogs which they breed for profit, use for illegal fighting and even ransom back to their owners.

 

More than 60 dogs are stolen in the UK per week and less than 5% of these cases lead to a conviction. In October Tom Hunt MP called for pet theft to become a specific offence, this would result in tougher sentencing for pet theft. Currently most cases are heard in the magistrates court where convictions typically only incur a £250 fine, the same punishment as the theft of an inanimate object. For more information see pettheft.org

 

The stories that unfolded in 2020 tell heartbreaking tales of support dogs, working dogs and children’s pets being stolen often in blatant and planned attacks. The stereotypical example of a dog being taken from outside a shop whilst their owner popped in for a quick pint of milk has been replaced with accounts of sophisticated methods of breaking and entering property, people being placed under surveillance and followed home whilst walking their pets and even being violently attacked for their dogs.

 

These advanced attacks have resulted in the need for serious countermeasures. We have recently been asked to provide several of our clients and their households with security awareness and counter-surveillance training which they can subtly deploy to remain safe whilst walking their dogs. This has led to the creation of our specialist canine counter-surveillance project which 2021 will see us roll out as an online and in-person security awareness service for our clientele.

 

Our training programs are based on years of counter-espionage experience and include subjects such as how to raise your awareness levels, how to identify if you are under surveillance, how to deter potential criminals, what to do if you suspect that you are being followed and safety and security advice which should be adopted in everyday life.

 

For more information regarding any of our services including:

 

Physical penetration testing

Close protection

Surveillance

Counter-surveillance

Security awareness training

Bug sweeping

OSINT and Due Diligence

 

 

Please contact us;

info@sloaneriskgroup.co.uk

www.sloaneriskgroup.co.uk

0203 897 22 72

 

Getty_922088430

Physical Penetration Testing and Security Awareness Training - the vital and often missing links in an organisations security strategy.

Physical penetration testing, sometimes known as black teaming or red teaming, is a hybrid between a security test and a security assessment focusing on the vulnerabilities which can be exploited via an attacker gaining physical access to a building. Once the vulnerabilities are identified they are tested through the methods which would be used by both opportunistic and sophisticated attackers. This is a very pragmatic service that businesses can utilise to explore known and unknown threats against their assets. Learn more about physical penetration testing

My organisation has excellent security infrastructure why would we need to worry?

Security budgets frequently prioritise physical defences, little attention is given to ensuring that staff understand the security policy and why compliance is so important. The best access control methods are useless if someone holds the door open for the person behind them or is not confident to react to a tailgate alarm.

 

When asset and risk registers are created a common mistake is to calculate the value of physical office assets as items such as furniture and IT hardware, the result is a fairly low value and the security provision to protect them is on par with that equation.

 

An organisations intellectual property and data and the risks from malware and ransomware are often assessed to be at risk purely from external attack, falling under budgets dedicated to cyber security rather than local physical prevention. Often loopholes can be exploited enabling network access to be achieved through a simple action such as inserting a USB device directly into a computer.

There is no reason for our organisation to be targeted

In the case of ransomware, hackers rarely care who they target. The threat is not coming from state sponsored actors motivated by industrial espionage or political agenda. It may be simply about holding your files or systems to ransom to make easy money.

 

The human factor is frequently the weakest link in the security spectrum. Recent attacks against blue chip companies have occurred through the exploitation of staff, this can be overtly or covertly. Overt methods include offering large sums of cash to entice a staff member to take an action such as the thwarted plot against Tesla in which an employee was offered $1 million to insert a device containing ransomware onto Tesla systems. Covert attacks include staff being exploited without their knowledge; this was seen in the twitter hacking scandal where the attacker impersonated a member of IT staff in order to gain employee log in credentials resulting in a hack which provided access to celebrity twitter accounts which the attacker then used to commence a $110,000 bitcoin scam. Attacks against smaller companies are a constant occurrence but don’t make the headlines in the same way as companies which float on stock markets or those who control large amounts of data.

 

In many cases regardless of the threat actors origin and objectives common attack methods are used, these include leaving USB devices where curious staff members may find them and plug them into unguarded systems, phishing attacks and gaining physical access under a pretext in order to plant a device which will access a companies network, steal their log in credentials or simply record sensitive conversations. Learn more about corporate surveillance

How can we improve our security strategy to mitigate these threats?

Physical penetration testers act in the same way as the attackers, they are well trained and highly experienced in the arts of persuasion, impersonation and pretexting, otherwise known as social engineering. They will gain physical access to a company through a combination of simple factors such as looking like they belong there, speaking about the right people within the organisation, knowing where they are going and having a reason to be there so as not to appear in any way suspicious.

 

They will operate under the parameters of the particular task and will attempt a range of exploits to assess security procedures and infrastructure at every level of the organisation from the situation of cameras, effectiveness of access control, standard of physical security personnel and levels of staff security awareness. The company is then provided with an in-depth report which will score all security risks and will provide recommendations if improvements need to be made.

 

Educating staff in the importance of security procedures, knowing how to identify a well disguised attacker and providing them with the confidence to alert security or office seniors of people who appear out of place is in our experience the most vital line of defence to prevent malicious attacks. It is also a relatively inexpensive option with high results.

 

Once we have completed a physical penetration test, we offer the company a bespoke staff security awareness training session based on our findings, this can be tailored to fit with staff schedules over multiple sites if required and is designed to be a non-judgemental session where the aim is to educate rather than point out individual failings.

 

For more information regarding our range of services including physical penetration testing, executive digital profiling, and surveillance awareness, or to create a bespoke employee security awareness training package for your organisation no matter how large or small please contact our training department.

Please see our other blogs dedicated to social media exploitation, surveillance and physical penetration testing.

 

info@sloaneriskgroup.co.uk

Phone 02038972272

71-75 Shelton St, Covent Garden, London, WC2H 9JQ

surveillance

Social Media as an OSINT tool

It is that time of the year again, the one that is particularly annoying for people who have lots of friends with small children.

It is the ‘back to school’ or ‘stand by the front door’ week. Many parents do this, I have been guilty of it myself and this year it will be even more prominent as due to Covid the majority of children ended the summer term without meeting the annual leaving milestone as expected, which was especially hard for those reaching the end of their primary schooling or even completing their first year in reception. This year going back to school is a bigger deal for most than ever before and this will be accurately reported on social media and with various versions of #backtoschool and #firstdayatschool

So what? you might ask. What is wrong with uploading a photo of my child looking super cute in their new school uniform?

For many people, nothing at all. I don’t aim to scaremonger with this post, many people have a Facebook or Instagram account with locked down privacy settings and they only share this sort of picture with their close friends and family.

However, in times where employees are manipulated via social engineering to give away confidential information or access such as was initially suspected in the recent twitter hacking breach, people need to be aware of what they are posting on social media and to have a good awareness of what could be compromised if they were manipulated.

Sloane Risk Group specialise in identifying and preventing vulnerability’s which enable malicious access to information security, this is both the physical security of buildings, offices and systems and the access which is obtained through hacking people, by manipulating them to give away vital information leading to data loss or physical breach.

We have worked with clients in businesses that specialise in software development, pharmaceuticals, and research all with their own reasons to be targets of malicious attackers, some of which have experienced campaigns against them including threats of direct violence towards the family members of their staff.
When we look at an organisations staff and their attitude towards security, we frequently find links between accounts such as linked-in and various social media platforms which inadvertently give away far more personal information than can be recommended from a security aspect. We find that people often take measures not to show their address but then they miss other exploitable personal identifiers. This is especially prevalent in spouses who do not realise the access to information or development that their partners may have.

If a malicious attacker is able to trace your children to a local primary school it would not take long to identify them being dropped off, your vehicle and from there your home address. This could be to place you under further surveillance, plant audio devices at your address, search through your rubbish, place tracking devices on your vehicle or even to directly threaten you.

If you are not in the category of people who could be exploited for criminal or competitor gain, the general security of your children should always be a cause for concern. In many child abduction incidents, the perpetrator has conducted some sort of research around that child first especially in kidnap for ransom cases.

What steps should I take to stay safe?

Before you or your spouse post anything with details such as school jumpers with emblems stating exactly where that school is, consider the following:

• Am I in a position where I could be bribed, blackmailed or tricked into giving away company secrets?

• Could the organisation that I work for be a target for hackers, scammers, criminals or protestors?

• Is the company information so valuable that someone could even threaten me or my family to get it?

• Am I giving away too much information about my family and our routines?

This is extreme but unfortunately not unheard of. If you feel that you should maintain the freedom to post about your family life, consider blacking out emblems or logos on uniform, think about the wording you use when you make your posts, and what other information you may be giving away in the picture such as door numbers or car number plates.

If you would like more information regarding counter espionage, a company security assessment, security audit, black team/physical penetration test, staff security awareness training or an employee security profiling test then please contact us.

Applying the Consultancy Cycle to a Black Team Assessment

Security consultancy

A UK tech company requested our services to review their current security strategy, they stipulated a focus on improving staff attitudes towards physical security.

The client was satisfied that their outward facing cyber security was very strong but they were concerned about the damage which could be achieved by insider threat or by an attacker who might gain internal physical access

Stage 1 - Entry and Primary Analysis

We visited the client at their London HQ and ascertained that their main threat was commercial espionage by competitors.

Their need was to develop long term security resilience rather than to see a quantitative regain on their investment. Our pitch focused on the fact that as a black teaming specialist we provide a unique service involving accessing the buildings using the resources of a hostile attacker. This quickly detects the grass roots vulnerabilities faced by the client and creates the starting place for an advanced security strategy to be developed.

Stage 2 – Contracting

Our proposal stated the set times we would allow for each step such as the black team deployment, use of gap analysis and how we planned to work across the spectrum of people within the business, tackling policy and procedure problems as well as identifying the staff shortcuts.

We explained how we would identify the range of security threats and vulnerabilities to the business and use existing framework to strategize ways to reduce them.

Stage 3 – Gathering Data

The first step was the specialist activity of the black team, this enabled us to rapidly ascertain the main human based problems facing the business. For instance, the staff were extremely polite and held access-controlled doors open for each other, by fumbling with a similarly looking badge or by holding multiple cups of coffee our testers found entry was easily obtained. Once inside they were accepted as people who should be there. This stage also enabled us to assess the security hardware of the buildings and the perimeter defence zones.

The next step was to create an asset register and to place a value to the things that were important to the business. We reviewed the policy and processes and interviewed staff informally to establish the security-based strengths and weaknesses throughout the organisation.

Stage 4 – Diagnostics

We identified the majority of the client’s problems during the first stage of the assessment. Our Black Team are experts at finding the holes in physical security and identifying how human nature can be exploited to gain access or to encourage staff to perform an action such as clicking on a phishing link.

We assessed that the physical security was generally to a high standard except for an RFID weakness, however due to us managing to breach the building and remain inside for prolonged periods on five separate occasions the human element needed improvement. There were also some policy and contract points which we considered to require amendment.

Stage 5 – Generate Options

For the outlay of the cost, the client expected to see the implementation of a tougher security strategy and a clear improvement in their security culture.

Our shared vision was to achieve this by investing in the organisations people, showing them why security is important and teaching them to recognise and avoid the manipulation tactics used by hostile attackers such as impersonation, phishing, pharming, vishing and smishing.

We presented the client with a range of options which addressed both the quick fixes and long-term goals needed to improve their security resilience which included;

a, doing nothing
b, developing the security strategy by investing in all business departments with business wide initiatives, improvement of the RFID issue, advice regarding contract and policy changes and using our results to deliver an informal staff security awareness session.
c, the additional option of a more in-depth training feature and ongoing staff security culture testing program with measurable results.

Stage 6. – Implement Actions

The client chose the most in-depth option which involved ongoing staff training and subsequent testing. Our consultant led the project with a team of our training consultants and an external partner organisation who implemented an RFID frequency upgrade.

Stage 7- Disengagement

The scope of the work that we conducted was clearly defined and easily measurable. The client was extremely happy with our service and asked us to re-contract to provide quarterly security spot checks and annual training for new staff members.

For black team/physical penetration testing assessments, security awareness training packages for staff and executives and for corporate surveillance investigations contact us:

info@sloaneriskgroup.co.uk
www.sloaneriskgroup.co.uk
0203 897 22 72

71-75 Shelton St, Covent Garden, London, WC2H 9JQ

ABILogo2016
hiscox
Picture1

Protecting yourself from spying, stalking and surveillance from your spouse or a former partner.

Sloane Risk Group London

Would your spouse spy on you?

Many of our clients suspect that they may be subject to stalking, surveillance and spying by a spouse or partner. We have experienced cases where our client’s email and social media accounts have been accessed, stalkerware has been installed on their phones, tracking devices placed on their vehicles, and their homes have been bugged with audio and video surveillance devices.

 

This article explores some of the easily obtainable software, programs, devices and equipment that can be used to invade your privacy and the basic ways in which you can prevent yourself from becoming a victim of stalking, surveillance and spying by your spouse or partner.

Stalkerware, Spouseware, Spyware

There are lots of tracking apps for mobile devices available, many are marketed as apps for tracking children but when used maliciously are known as known as stalkerware, spyware or spouseware. Their capability includes monitoring emails, messages, locations, accessing photographs, contact details, obtaining social media passwords, even remotely turning on the devices camera and gaining a view of the surroundings of the device, all whilst running undetected.

 

On an Android some of the current tracking programs can be seen in the form of an obvious app, they may appear as a technical settings that you are unlikely to explore such as; wifi settings, access tool or system update service, on an iPhone you may find an app called Cydia or iKeyMonitor. You may also notice that your battery life drains quicker than normal or your location arrow may be constantly visible.

 

One of the extra problems with stalkerware is that when data is stolen it is not necessarily secured and is then open to compromise by third party’s.  It may also leave your phone open to further attack.

How stalkerware is placed on a device

There are a range of ways to do this, but these are the most common:

 

1 – You could receive a Link via text or email such as something that looks like it goes to an interesting article, photograph or website, this is called a phishing attack and when clicked on will start installing the spyware onto your device. This could also be in the form of a pop-up requesting access and location permission which in a rush you may accidently accept.

 

2 - Access to your pin and apple ID, this could be easily obtained by your partner or former partner shoulder surfing and over time seeing what details you enter to access your device and accounts or from a note you may have written down when first setting up your phone.

 

3 - A gift, be wary of anything technical being given to you as a gift or anything you might conveniently find dropped outside your front door.

What to do if you think stalkerware has been installed onto your device

There are many variants of stalkerware and things evolve quickly, the recommended actions vary depending on the type of phone and the install but advice includes; (if using iOS) to log in to your ICloud account and sign out of all active sessions.  It is also advised to perform a full reset on your device, this however is not a failsafe and does not work against all attacks, if you can then consider a professional forensic examination or a new phone. There are tools to search for this type of malware however these are more available for Android than I phone and not all are simple to use. Stay up to date with software updates as they are constantly fighting threats such as this.

If you are however stuck in a situation of domestic abuse then it is advised to retain your phone and carry on as normal so as not to endanger yourself, instead try to discretely obtain a second phone for any sensitive conversations and messages.

 

Next change all of your passwords including your apple ID and follow the below steps to limit your personal identifiers and secure your accounts.

How to protect yourself online and prevent becoming a victim of account exploitation

Reduce your online visibility, if you would not tell everyone that you meet your full name, email address, phone number, home address and details of your partner and children, friends and family don’t do it online.

Step 1 – Use a VPN (Virtual Private Network)

Every computer has an individual IP address which can be used to trace your location.  A VPN such as PIA or Proton VPN disguises your IP address.  There are a range of both free and paid for services although paid for versions generally receive better press. Your account will enable you to use a VPN on multiple devices and you should remember to install it on your smartphone. https://www.privateinternetaccess.com/pages/buy-vpn/ https://protonvpn.com/getvpn?utm_campaign=ww-all-vpn-gro_aff-getvpnp_main_offer&utm_medium=link&utm_content=6&utm_source=aid-1519&bestdeal

 

Step 2 – Create new passwords and usernames

You should not recycle usernames and certainly not passwords. Even if you are not a specific target it is very common for websites to be hacked and data stolen, this data is then dumped in pastebins, these are repository’s which can be accessed by anyone, and your passwords and usernames exploited. If you use the same password on multiple sites it is then very easy for you to be hacked. There are several services that allow you to check if your email password has been compromised such as https://haveibeenpwned.com/ or https://leakpeek.com/

 

Step 3 – Use a password manager

A password should be a mixture of numbers, letters and symbols. Instead of trying to remember complex passwords sign up for a password manager. This is a program that can run on your computer and mobile device which stores and autofill’s all of your passwords, you only have to remember one password to access it. There are many different types of password manager such as Last Pass or Bitwarden https://www.lastpass.com/ https://bitwarden.com/

 

Step 4 – 2FA, (Two Factor Authentication)

The next step is to secure accounts and your password manager with 2FA, this is often a text message that you will enter when accessing the account, but a more secure way is to use a physical token such as a yubi key. You place this like a USB into your computer or phone and simply touch it to confirm that it is you accessing the account. https://www.yubico.com/products/?utm_source=google&utm_medium=pd%3Asearch&utm_campaign=&utm_content=&gclid=cjwkcajw57b3brbleiwa1imytre_yw3758gscyh4zc27war9qsyyanismkjmazydvue0dxy8yfngxxocptmqavd_bwe

 

Step 5 - Consider avoiding profile pictures

We all like to have a profile picture on our social media and linked-in accounts, in most cases this is totally fine, however if you are at risk from malicious activity consider not using them, this also applies to little used accounts where you might add a picture once and then forget that it is there, if someone obtains a reused user name it will be easy to view the pictures that you have used and perhaps forgotten about.

 

Step 6 – Privacy Settings

Set your social media account settings to maximum privacy, make sure that people you do not know cannot access your personal information. Also check your security settings, when you forget a password but someone has accessed your username or email they can use the “forgot your password” option to obtain some of the characters of your phone number or email, this can be slowly pieced together to gain your contact details.

 

Step 7 – Don’t use your real name

This is for people who have a genuine fear of being stalked, don’t let vanity take over, your friends know who you are and can find you if needed.

 

Step 8 – Be aware of what you post

It is possible for investigators to search for text in images, an innocent picture with your vehicle registration in the background could later reveal what you, your house or your children look like. Likewise, with check-in’s and geotagging, consider if you really need to publish where you are and what you are doing. Even if you show this information retrospectively you still create a dossier on the places that you visit, the things that you like and potentially annual events that you go to.

 

Step 9 – Change your phone access password regularly

Avoid being a victim of revenge Porn

In hindsight this is an obvious suggestion but in the moment it is not uncommon for people to engage in exchanging sexual imagery. Our advice to all parents is please have this conversation with your teenagers, blackmail regarding compromising images is very common. If you have any compromising images on your devices, erase them and don’t forget to empty the wastebin, you may also want to consider clean up software often known as file shredding.

https://www.bleachbit.org/

Bugging your house or vehicle

In more extreme cases consider a bug sweep, there are many quick plant devices that are easily obtained, they might not have a long battery life but the quality is good and they can be accessed remotely. Focus on the areas of your home where you are likely to have sensitive conversations and spend a lot of time. If your spouse is likely to have placed the item themselves then conduct a logical search starting from left to right, high to low. Check everything, books, objects, behind sofa cushions. If you believe that they may have contacted someone to install a more professional device with some longevity, consider contracting a professional TSCM (technical Surveillance Counter Measures) expert.

Are you likely to be under physical Surveillance?

See our other blogs describing surveillance techniques, if you feel that you are being followed you first need to establish if that is the case, depending on your situation you may want to do this overtly or covertly. Overt methods include manoeuvres such as driving twice around a roundabout, turning on quiet stretches of road or randomly when walking to establish if you see the same person, people or vehicles more than once. Covert methods involve finding a reason to look behind you without appearing to look or to notice anything for example pausing to stroke a dog, looking back as you cross the road. To detect a professional surveillance team, we suggest employing experienced counter surveillance. If you are under surveillance your options very much depend on your situation and the level of threat against you and we advise our clients accordingly.

We hope that this blog will enable you to protect yourself from stalking, surveillance and spying by your spouse or partner.

For more information regarding our range of security risk mitigation and protective services including surveillance, close protection, TSCM bug sweeping and counter surveillance please visit our website www.sloaneriskgroup.co.uk or contact us by email info@sloaneriskgroup.co.uk

We have offices in Brighton and London and operate worldwide

Sloane Risk Group

Physical Penetration Testing

The importance of Business Security

A layered approach to security is vital for all businesses from start-ups to international corporations. Starting with perimeter security and external access control, leading to internal access controls and then secured areas and cabinets, security is the first, second and third ring of defence against corporate espionage, hostile attackers, opportunistic intruders, and a large range of threats which can cost a business time, reputation and money.

What is Physical Penetration Testing?

IMG_2672

Businesses invest a great deal in fencing, alarms, access control and manned guarding. Physical Penetration Testing is a proactive way to identify if these security measures are working sufficiently and to assess a company’s security vulnerabilities through the eyes of a would-be attacker enabling the business to improve its weaknesses before a real attacker can exploit them potentially causing a data breech, loss of IP, theft and even physical damage and harm to employees.

How is Physical Penetration Testing Conducted?

Each deployment is bespoke to the client requiring the service, after establishing the location, nature and size of the business the client is generally offered three levels of test to choose from, some organisations especially those who have a reason to be at high risk from a hostile attack such as research facilities and Government buildings take a very forward facing approach to their security concerns and will choose a level of service that simulates the real-time that a hostile attacker would spend conducting open source intelligence (OSINT), hostile reconnaissance and surveillance of the building, its key executives and employees. Smaller businesses with a lower security budget but whom understand their responsibility towards facing security threats might opt for a shorter project but will provide some basic information about the running of the business which the testers would have found out themselves had they conducted a longer surveillance period.

 

The first step is OSINT, this will show the profile of the company, related media and its areas of interest. Geographical information such as mapping of the area in which it is located, the thoroughfares, staff areas, parking, travel options and other local facilities and businesses which can be utilised during the attack phase.

 

Most importantly it will show the security awareness of staff members. Through a range of media options OSINT can identify who works for the business, which department and position they hold, who they report to and who reports to them. If staff are not overly cautious it can show when they are on holiday, what the internal office areas look like, even what type of ID they wear and what operating systems they use.

 

All of this information will build a picture for the next stage of the attack.

Social Engineering

The social engineering part of the attack will start before the main deployment, vishing (voice phishing) calls will be made to identify routes via staff members into the building and to find out additional information about the daily operations and procedures. Pretexts will be established, and appointments will be set up to enable later access or to gain further information about the security procedures.

Cyber Attack

A Cyber penetration test will assess the cyber security of the organisation. How far the team are required to penetrate will depend on the appetite for a realistic result by the client versus their natural precautions surrounding very sensitive client data and the budget available.

 

Whilst malware can be specially created and deployed during a spear phishing attack

many clients opt for a shallower test to determine if any improvements need to be made.

 

The range of typical tests include:

  • Internal Infrastructure test - the type of test which will detect any vulnerabilities which could be exploited by a threat such as a disgruntled employee
  • External Infrastructure and web application penetration tests - to simulate hostile attacks over the internet or intranet
  • Wireless penetration tests - to determine the security of WIFI networks
  • Voice communications tests - these can assess if the telephone network is susceptible to attack
  • Mobile devices and application tests and assessment of their build - to ensure they are secure especially in an age of bring your own devices
  • Cloud configuration reviews - to establish if cloud systems are secure

 

These tests are performed against benchmarks for industry best practises.

 

A physical penetration test can be conducted with or without a cyber penetration test, if they are in conjunction then the physical part will involve the operators planting various devices such as key loggers and USB sticks inside the building.

 

Red teaming, Blue Teaming, Purple Teaming and Black Teaming

 

Red teaming is an objective led penetration test typically scoped to obtain data or to gain access to sensitive areas or networks. A Blue team is a team who react to the red team and try to prevent the attack. A purple team is where the two teams work together either in conjunction or by sharing information after the test.

A Black team is a phase used to describe a physical penetration test.

What happens when the testers gain access to the building?

Once the testers have identified the pattern of life of the building, business, staff and contractors the physical attack phase will commence. The testers aim is to gain entry under a pretext, SE or covertly and to blend in. They may have been tasked to access certain rooms or areas such as the data centre, to photograph unlocked workstations assessing staff security awareness, to acquire or photograph sensitive documents or in some rare instances to cause disruption inside to see how the staff and security team deal with it. The majority of clients require a soft approach and wish to see how easy it is to tailgate employees in to access controlled areas and to extract themselves with company information without being detected. On some occasions the client requires a Covert Methods of Entry (CMOE) attack which will utilise qualified lock pickers to test the physical aspects of the building’s security.

What are the benefits of this type of test?

The test is not purely to see how far the testers can penetrate, the report and recommendations provided to the client at the end of the test will examine the feasibility of a hostile attacker conducting each breach the team have identified. It will score the impact to the business against a risk matrix. A report will be provided that will make recommendations proportionate to the likelihood of attack at each stage. The end result is that your building will be more secure and less likely to receive a security breech or physical attack and as the implementor you will be able to take the credit for improving the buildings security plan and potentially adding to or improving security policy.

What is the most common vulnerability that you find?

The most consistent vulnerability that we find is the human factor, staff members who are too keen to help or provide information without being aware of the security implications of their actions. Sometimes corner cutting is an issue, and very often we find that people are not sufficiently invested in the security of the building to have the confidence to challenge people who are not supposed to be there. We can assist with this by returning with our evidence and in a friendly way explain to staff why they must take security seriously, what the consequences can be if they don’t and train them in a workshop focused on improving security procedures to be comfortable to challenge people who they do not recognise or who are not wearing the correct Identification.

For more information about Physical Penetration Tests please contact us:

 

info@sloaneriskgroup.co.uk