Cyber firm goes undercover to invade, protect businesses

Ben Caudill, Rhino Security Labs
Ben Caudill at work.

SEATTLE – Businesses beware: If a stranger wearing an immaculate business suit and engaged in “techie-talk” on his cellphone shows up and says he’s the new IT guy, don’t fall for it. He could be your worst nightmare – a professional cyber-saboteur like recent Washington State University business graduate Benjamin Caudill.

On the outside, Caudill looks like an innocent, young business professional. But in reality, he is a deadly force that could easily penetrate and exploit a firm’s most private files. Fortunately, he’s what the computer world refers to as a “white hat;” in other words, he’s a good guy who only engages in cyber hacking of the ethical kind.

Niche: Identifying cyber threats

Caudill recently launched Rhino Security Labs, a Seattle cyber-threat management company specializing in showing customers how attackers penetrate network systems and what a firm can do to improve security. To date, Caudill has served hundreds of businesses, nonprofits and government agencies.

He will speak about offensive forensics and the use of investigative tools and techniques to attack and compromise target systems at Defcon 21, a hacking conference, Aug. 1-4 at  the Rio Hotel in Las Vegas.

The growing need for expertise to help firms protect sensitive data is a career niche for WSU students like Caudill interested in management information systems (MIS), a major offered in the WSU College of Business.

“We are leveraging the natural fit between the MIS and entrepreneurship majors,” says Mauricio Featherman, one of Caudill’s professors in the college’s Department of Management, Information Systems, and Entrepreneurship. “For example, we’ve created a popular new mobile apps class that teams technically minded MIS students with entrepreneurship students to develop mobile apps for sale in the Google Android marketplace.

Preparing students to succeed

“This integrative approach results in extraordinary growth in students’ knowledge and skills,” Featherman says. “It also prepares them to compete in the college’s annual international business plan competition, in front of real world business investors.”

“Much of what I learned in the MIS program was about problem-solving, specifically in business and technical situations,” says Caudill. “The website design projects, the business plan competition, the project management and business intelligence classes were particularly useful.

“I am able to talk proficiently about these topics and was able to guide our company through some perilous early days — something I couldn’t have done without my WSU MIS training,” he says.

Before graduating from WSU in 2010, Caudill landed a summer internship at Boeing and worked with an elite group within the information security department. When he completed his WSU degree, he was offered a full-time position and spent the next couple of years learning more about security, networking and penetration testing. After a short stint with U.S. Bank as an “attack and penetration” team member, he decided to go out on his own.

Helpful tips
To the benefit of anyone concerned with cyber-threat management, Caudill shares a few tips from his recent experiences:
How to get in

Penetrating a firm’s physical security is easier than you might think, says Caudill. Dressed in suits and carrying briefcases, he and his team arrive at the firm’s building around 6 a.m. before guards and front-desk personnel get to work.

If the risk of being recognized as an outsider is high, Caudill often uses a technique he calls “social protocol exploitation,” a fancy name for a fake cellphone conversation peppered with technical jargon and a white lie of “I’m just getting to the office.” Caudill says this scenario helps to convince anyone within earshot that he’s a legitimate company IT person and forces eavesdroppers to choose between being polite and not interrupting his phone call or following company protocol and challenging his presence. Often, they will choose the “polite” route, he says.

Once inside, Caudill searches for an empty room. He says firms often post a schedule outside a conference room so anyone can observe when the room is free.

He has used such spaces to work clandestinely for hours, installing keyloggers (small programs that monitor/record each keystroke a user types on a specific computer keyboard), hidden cameras and remote access points (backdoors) into the company’s network. Besides acting, one of his other talents is picking locks on office doors belonging to the firm’s highest administrators.

The art of deceit

While the firm’s CEO is aware of the security assessment, no one in the lower rungs of the company knows about it in order to make it a more realistic attack. If the person he’s following questions him, Caudill quickly shifts into actor mode: “Feigning shock, I put one hand over the phone microphone and respond, ‘Oh my apologies; I’m Adam Cole, the new IT guy,’” says Caudill.

“Before the target has time to respond,” he says, “I continue my sham phone call and casually stroll behind while the person continues to use his ID badge multiple times to get through secure access doors.”

One such performance gained Caudill entry into a credit union that had contracted his services. His cover was soon blown when another employee arrived in the area where Caudill was working and didn’t believe his story.

Caught red-handed, Caudill rolled out another ploy — the missing business card.

“I made a dramatic point of pulling out my wallet – feigning disappointment as I confessed that it had been recently stolen – as well as my business cards and proof of my ties to the company,” he says.

But this time, the woman was having none of it and promptly escorted him to the manager’s office. As he made eye contact, Caudill realized it was the same man he had tailgated into the building.

“Oh yes! That’s Adam Cole,” the manager confirmed. “He’s the new guy with the IT department.” Embarrassed by her apparent lack of tact, the woman then apologized profusely and offered to do anything to help “Adam.”

Hacker’s best friend: Helpdesk

“The only way to know if a hacker can exploit a network is to try exploiting it,” says Caudill. “Even if you have firewalls installed, antivirus updated and Windows patched, other flaws can still exist that would allow an attacker to access your data. This is where penetration testing comes in.”

If Caudill and his team runs into a roadblock during the penetration testing period, they do exactly what everyone else does when they need network assistance – call the helpdesk.

For example, after verifying the basic identity of an employee that Caudill impersonated, a helpdesk associate happily gave him the internal URL for accessing a medical company’s patient database, he says. Using the chief architect’s credentials to log into a Web form, the team immediately hit the jackpot: nearly 100 million patient records including names, dates of birth and Social Security numbers.

Remediation

While the scope of assessment varies from one firm to the next, Caudill says he commonly tests for password cracking. In a recent assessment, he was able to use a tool that analyzed a list of thousands of passwords and tried each one against a particular password prompt. Each time a prompt was successful, he received an alert and could use those credentials to access a system.

“Possible remediation in this case would be to lock out accounts after ‘x’ number of tries, as well as ensure stronger passwords are put in place,” he says. “Occasionally this can be done with technical means, but most often this is a policy recommendation for management to enforce.”

Once an assessment is complete, Caudill creates a thorough document for the client, listing all security flaws, risk ratings, descriptions and remediation steps. Once the client has reviewed it, a close-out meeting is scheduled to discuss the assessment and a plan for remediation. Caudill also makes it a point to remain available to answer former clients’ questions.

“I took a lot of flak when I left the security of a stable job for a startup with a few friends,” says Caudill. “But I knew what I was going after, and that drive has been the biggest factor in determining my success.

“We all share this at Rhino Security, in fact, and it’s been integrated into our slogan: ‘Leading the Charge for Enterprise Security.’ Don’t be afraid to lead the charge,” he says.