Chronicles of Cybersecurity Consulting - 2nd in series - Shortest Consulting Engagement Ever

[Securing Things by M. Yousuf Faisal]

In partnership with

Disclaimer: All views presented here, in this newsletter, are my own.

Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.

M. Yousuf Faisal

Table of Contents

Hi Securing Things Community,

In this newsletter edition, I am continuing with my Chronicles of Cybersecurity Consulting - 2nd in series from the field (more to come in future, so stay tuned). In addition, my recent most viewed social media posts and my asks.

In case you missed the 1st chronicle in the series, here’s the link → Chronicles of Cybersecurity Consulting - 1st in series.

Special Message:

Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!

Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.

Chronicles of Cybersecurity Consulting

Note: To ensure anonymity of the projects / end user businesses, I’ve kept the industry and timeframes anonymous.

Chronicle # 2 - “Shortest Consulting Engagement Ever!”

Today I’ll be covering my shortest possible consulting engagement / gig ever.

A global institution reached out for a high profile incident within their APAC business - while the overall fraud investigations were underway by several other 3rd parties; we were selected for a rather unique task. 30 or so pdf files worth millions or even billions of dollars were locked with passwords and the person in question (being sued) left without informing the business (exact amount wasn’t shared, but apparently it was made clear to us that it was a big deal).

source: tenor

Client: We have tried every possible thing, used our cracking tools but all to avail no results. We’ve a very high pressure from executive management to resolve this asap.

Our task was to perform password cracking within our forensics lab on these files to be able to retrieve the actual contents and provide unlocked files to the global institution. All while maintaining strict chain of custody from collecting the files physically from client, transport, within your labs, and upon return. So, there were chain of custody forms, seal bags, evidence pictures, sign-offs etc.

Yes, I was part of a forensics team for almost 5+ years performing different dead forensics acquisitions, forensics analysis as part of IP litigations (firms suing their counterparts for stealing their Intellectual property) mostly hired by law firms, and or HR / security departments in cases of fraud and or employees sending out confidential information to competitors. So we did acquisitions of laptops, desktops, mobile devices and (not so common those days) live capture of actual servers as well. Tools at the times weren’t as sophisticated and or feature rich as they probably are right now. Few future chronicles on such engagements to come in future. Sometimes these were fun and challenging engagements, and sometimes stressful, especially the ones that requested covert operations (which I personally didn’t enjoy).

Back at our forensics lab, we had a new latest most advance spec server with highest possible RAM and CPU and graphics card and latest password cracking tools setup in the lab ready to be tested on an actual gig.

So as excited I was, said to myself, lets get cracking… I started customising and testing few cracking policies / schemes for the subject files in questions.

source: tenor

But with every policy I see the time to crack estimated as above 40 days or much more. I said to myself while sitting at the console, whether this is going to work?

source: tenor

So I decided to use some variations of the institution names and combos to see whether they be the password for these …

15 mins within the actual delivery of the engagement, I started questioning everything. And in the next 15 mins, I was able to crack 29 files passwords with the exception of 1 file. On which, I created a custom password cracking policy and hit run.

From so many days to just cracking them all (with exception of 1 file) within next 15 mins. Now you might be wondering how? As I stared at these subject files, I noticed a weird pattern on the file names that seemed a bit abnormal. So I decided to use the file name to try as the passwords. Wala, one after the other, each file opened without any issues. Here, common sense prevailed.

source: tenor

I went to my country manager at the time, to seek his permission to inform client immediately - that we have solved their case in 30 mins (whereas the engagement was expected to run few days to weeks and we could have charged them accordingly) - and country manager agreed that it’s the right thing to do.

So here’s how the conversation went with the client:

Me: Hello, client we’ve cracked 99% of the subject file with the exception of 1.

Client: How come?

Me: I wrote a rainbow table attack and ran it against the files.

source: giphy

Client: Awesome, please teach me on how to do that as well.

Me: I am just kidding, I wish I was that geeky :-)

Client: Haha - So how?

Me: Well, I noticed a strange file name pattern and started using each files filenames as password. It worked on 29 out of 30 files.

Client: What? (and there was some panic in his tone).

source: tenor

Me: Yes, that’s true. Only 1 file seems to have a typo in the filename and its not opening. I’ve tried other filenames for that file but no luck so am cracking it with file names variation policy. Let’s see, it showing 4+ weeks, but am not hopeful.

Client: We’d like to get all the files asap and leave the 30th file for now. Also, we’d request you not to put this in your report as our team will be in tough spot.

Me: I understand, but we are obligated to report the facts as-is. Maybe a good lesson learned for your internal forensics team to exhaust all such options. Hope you understand.

Why I am telling you this story:

There are few important lessons to be drawn upon:

  • Sometimes, common sense prevails over technical skills. If I wouldn’t have given it a thought, and would kept my focus on the password cracking tool, I would probably still be cracking those passwords - ok - maybe its too much - but definitely would have given up hopes to crack them. So don’t rely on your hard skills only, in consulting world, sometimes common sense is your best friend.

  • At times you get requests to cut corners and not report the facts. As a consultant, you’ve to make sure not to compromise your credibility, just to make client happy. So make those tough calls. Be true & transparent.

  • Building trust over $$$ goes a long way. It’s unethical to charge a client any amount of money that’s not well spent on the project. Unless it’s clear in the SOW upfront. In our case, minimum charge was 1 day for the project and until the client request to stop the engagement, our charging meter could have remained on as the cracking continued. We didn’t charge anything besides the minimum amount. Engagement was closed within the first 30 mins. We returned all files with chain of custody the same day.

What other important lessons you can think of?

source tenor

Would you have done something different - if you were a consultant? Would you have expected something different - if you were an end user? Comment below.

Do subscribe to ensure that you don’t miss the 3rd in series on Chronicles of Cybersecurity Consulting - Titled “Accidental Finds”.

My Recent Most Viewed Posts:

In case you’ve missed - here are some of my recent most viewed social posts.

  • Getting started in IT & OT Cybersecurity - a blueprint / framework to 2x / 5x / 10x your cybersecurity career. Links in comments of the above post.

    👉 Do share, comment and add your experience and insights - as this may help someone bring some clarity and make right choices in their career decisions and or progression. Our world needs more cybersecurity professionals.

    👉 I hope to make a difference & help at-least 100/> people in 2024 (ideally 1K/>) to give back to the community. Join me in doing the same.

  • Internal Audit and IT & OT Cybersecurity Program - suggested approach for an internal audit team towards building their knowledge / skill base and be able to ask relevant questions towards an IT & OT Cybersecurity / transformation programs activities.

  • AI Cybersecurity Policy & Reference Guidance - which covers; AI cybersecurity policy construction (key elements), steps for a policy build execution project and several reference standards, frameworks and guidance documents.

  • Securing Things Academy Promo released or download below.

Securing Things Academy (STA) Promo by MYF v4.pdf970.02 KB • File

Become the Top 1% - whether it is Product, Growth, Design, Management, Business, Tech & Data - GrowthSchool is the place to learn from top experts in the field:

FREE AI & ChatGPT Masterclass to automate 50% of your workflow

More than 300 Million people use AI across the globe, but just the top 1% know the right ones for the right use-cases.

Join this free masterclass on AI tools that will teach you the 25 most useful AI tools on the internet – that too for $0 (they have 100 free seats only!)

This masterclass will teach you how to:

  • Build business strategies & solve problems like a pro

  • Write content for emails, socials & more in minutes

  • Build AI assistants & custom bots in minutes

  • Research 10x faster, do more in less time & make your life easier

You’ll wish you knew about this FREE AI masterclass sooner 😉

Whenever you are ready - I can help you / your organizations’ or your customers’ secure digital transformation journey through:

B - IT & OT Cybersecurity Trainings & Education

Reach out at info[at]securingthings[dot].com or DM via LinkedIn.

My Asks

I invite #SecuringThings community to share their feedback, and wish list for the year on:

  • any industry specific pain points & potential resolutions of keen interest?

  • what did you like about this and or previous editions?

  • what could be improved?

  • what you’d like to see in future editions?

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.

Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow: #securingthings on LinkedIn | @securingthings on X/Twitter & YouTube.

The Newsletter Platform Built for Growth

When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.

Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.

The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.

Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.

If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.

Reply

or to participate.