Schneier on Security
A blog covering security and security technology.
« Lockable USB Hard Drive |
| Friday Squid Blogging: Humbolt Squid Mystery Solved »
December 9, 2011
Robbing a Bank as Part of a Penetration Test
A funny story.
Posted on December 9, 2011 at 12:30 PM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Did the team have Robert Redford as a leader?
Interesting, he 'grew' a conscious in the real world, one that was absent in the 'virtual' world. Probably something to do with emotions vs logic...
Now that I've seen the video, it has a few similarities to the opening sequence from the movie I joked about. (The film is "Sneakers", from the early 1990s.)
Except that the movie involves more hand-on access to the bank building at night, and this team was able to do most of their work online.
I think the leader would rather be cast with Justin Long for the movie here... not Redford.
There is some NSFW language (depending on where you work) at the end of the video courtesy of the MC.
I do believe this is really unethical. I am a pentester and i will never recommend any tests like this to happen.
What if the bank teller had a nervous breakdown? The other client?
Pentests are supposed to represent a reality to an extent. I dont need to kill someone in his sleep to prove i could. I dont need to commit a bank robbery to prove i could steal one.
Either it is bad business, or a great (fictionnal) story.
This is a funny story, that's all. It doesn't really have to be true :)
youtube videos are not "stories".
If you can't be bothered to post even a short summary of the video, why should we be bothered to watch it.
Truly sounds like something out of "Heroic Failures". What a lovely mess. :-)
Ugh, you can't seriously be suggesting that the only way we can present a story is by using the written word? Our voice has worked for storytelling for thousands of years, why does that have to stop now that we can write?
Very Sneakers-ish, just missing a winnebago and peace on earth.
@ugh: It seems that it's a video from a storytelling competition. Ceci n'est pas un pipe, sure, but it's still a video of a storyteller telling a story.
The competition claims that the stories told are supposed to be true. I hope this one isn't. First, they risked to traumatize the bank worker. Second, I thought that every decent bank has a hidden silent alarm trigger. (In Germany, all counters handling money have to have it.) Bank teller pushes/kicks it, cooperates, and if you are still in the bank a few minutes later, say hello to the local SWAT team. I definitely do not want to meet an Israeli SWAT team. Or even worse, an untrained, nervous, trigger-happy policeman.
I remember some people on our team trying some stuff like that a long time ago. They were mailed legal threats instead of contracts. Doing that ransomware stuff in the US typically results in prison time.
On the pentesting angle, I have mixed feelings. The positive side is that I'd love to get an opportunity like that. I'd try to do the most clever, entertaining & successful bank robbery I could. Or we'd just make it realistic to see how people act under stress.
The bad news that seals the deal on my decision is that too much can go wrong. First, someone could have a heart attack or get PTSD. Second, I live in a country where people carry guns, not batons. (Sometimes both.) If there's armed security or a customer decides to be a hero, the pentester stands a decent chance of getting shot. So far, I haven't seen any contract worth getting shot over. Especially with one of the .40 cal that's common in this area.
as much as this could be emotionally destructive for the teller the story is rather humorous.
@ Dustn Schumm
Actually, this was probably the teller's best day on the job. Probably got a kick out of the whole thing.
Actually, didn't the teller get a *date* out of the whole ordeal?
The pentesters had a contract that was written to include physical attacks. I assume the company meant this to include Sneakers-style burglary, but not having a security guard on all sites during the day is also (as demonstrated) a security problem.
(What I want to know is what they put in their report!)
Nick P, what? When, outside of a movie plot, is a bank robbery /ever/ "clever" and "entertaining" ?? Especially for the people involved.
I think you watch too much TV shows.
"Nick P, what? When, outside of a movie plot, is a bank robbery /ever/ "clever" and "entertaining" ?? Especially for the people involved.I think you watch too much TV shows."
Hmm, maybe the one we were just talking about, for starters. Entertained a whole audience. As Jay noted, the teller even got a date out of it. I'd add the Craigslist robber with the uniform fiasco & escape by intertube. The Stander gang hitting the same bank twice in one day after hearing bank manager on radio bragging about the hidden safe they missed.
Who knows, maybe I'd just do it for the lulz...
@Nick P, actually that's what I do
Physical pentests to test the security around servers rooms and other sensitive areas are part of an all out red team. It's a lot of fun and if you have a good team chances are you will end up penetrating your client's premises.
Ridiculously funny from the story itself to the host's comments about Moran, the story teller.
I always thought the best bank robbery is where a teller helps himself to something (money, presumably) the perps left behind after the fact but the robbers get the credit for it.
I mean its not like they can credibly claim to have "only" stolen 400,000 instead of the 750,000 the bank claims is missing.
On a tenuously related note, I've often wondered whether is would be considered bank robbery if someone walked into a bank and politely asked the teller "could I please have large amounts of money from the vault?". I'm not about to try it myself to find out.
Oh come on, the contract between testers and bank simply CAN NOT make that robbery legitimate. The bank has no authority to make dispositions about the health of their employees or customers.
Having a guard w/o a bulletproof vest can be a security gap, too, but that does not mean his/her employer can authorize you to shoot him/her in the chest to prove a point.
I agree. Another reason i wouldnt have taken the job. In the US, any agreement to engage in crime is an invalid contract. More so because the third parties u mentioned didnt agree to such risky, criminal activity.
Interesting commentary. Make sure you understand and clearly define the rules of engagement of the assessment. After that, have fun and make sure to keep your 'get out of jail free' card with you at all times.
@MissinLnk: Stories told verbally are great, but significantly limit the settings in which you may enjoy them. Not a significant problem for a desktop, but many of us like to keep up with tablets, phones or other devices which may be used in a setting where it is not practical or polite to begin broadcasting audio (or plugging our ears with headphones).
For instance, I'm catching up on blogs on the couch beside someone who is watching TV. Playing audio would be distracting, and putting headphones in would be rude as it would be seen as ignoring them.
That's ignoring the privacy loss in having a large video and audio playing versus tiny text that is much harder to view over a shoulder - not necessarily a problem to most, but a deterrent to the shy ones among us.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.