Today we’ll be looking at the 2nd part of our Inside Red Team Operations series, which takes us through the process of planning, preparing and executing a security vulnerability assessment and penetration test; bad-guys style.

In Part 1, we looked at some of the elements and techniques for planning the operation and the recon. In this part, we’ll see how the information gathered during the 1st phase can be used to plan the operation.

Sorting Through Recon Data

Through OSINT, social engineering, phone probes and physical recon, we collected a large amount of data about our target. Some of that information is useless and some is the key to the success of the operation. Going through the information is tedious work but it can be rewarding.

Focusing on People

The first focus is on people. We collected email addresses and information about their employees. This should give us a clear picture of the who’s who in the company, or at least one or two names we can use to mount a social engineering attack. I usually focus on the people that hold mid-level positions. They tend to be well informed about what’s going on and are usually very helpful on the phone or over emails. That willingness to help usually comes from a person wanting to climb into a better position and want that extra “you see? I am very helpful and people rely on me” message to be spread.

Once we have a name, we can search all the information we have about that person. If needed we can perform a deeper recon on him/her. There are several websites that provide information about a particular person, however social media sites like Facebook, Twitter and especially LinkedIn provide all the information we may need.

Products and Technologies

The second thing we focus on is products and technologies. A huge part of a successful social engineering attack is having your facts straight. If the target is a company manufacturing/developing products, they usually have them listed on their Website. Focus on those and try to get the product owners, managers, developers, spokesmen, etc.

If the target is an organization (either private or government) then the focus should be on the service these organizations provide and the points of contact.

Infrastructure

Finally we focus on the technology, or more specifically what powers their networks, web servers and their IT infrastructure. This includes informational scans for things such specific product names and versions, problems with them as reported by their own IT people. Backend and frontend technologies such as any database, CRM or other data management, web services technologies and code.

This information will allow us to start planning any possible penetration via the exploitation of a technical vulnerability. For example, if I know their main web page is hosted on a Windows 2003 Service Pack X, with IIS X.x and MS SQL Database X, then I’ll be able to pinpoint a possible vulnerability that might not be patched in this system and either find an exploit for it or write my own.

In our project, we want to be able to penetrate the company’s network and if that fails, penetrate the company’s premises. Sorting through the data, we found that the VP of marketing’s email address is listed as a point of contact on a bird watcher’s forum.

How is this relevant? Well, we now have “something in common with the VP.” We’re going to become not only an expert bird watcher, but “all the sudden” there is a new bird watching expo being planned in a few months. Since this VP is such a successful business person, we’d like him to be one of the keynote speakers at this expo. How’s that?

Preparing The Bait

The first thing we need to do is get our facts straight. We don’t need to learn everything there is to bird watching, but take 24 hours to read about it, familiarize yourself with the jargon, the hot spots in the country and local area. You want to sound credible.

Second, buy a domain that reflects the “bird watching expo” that is coming up soon. For example, birdwatchexpovegas.com, or something similar. This will be our bait. We’ll use this Website to try and exploit the vulnerabilities we may find in their system, or if this fails, as a supporting site for our cover story.

It would be a good thing at this point to try to figure out what kind of laptops/workstations the employees use. Knowing what OS (version, patch version, etc.) will help us narrow the possible vulnerabilities we can exploit.
One way to do this is by calling and using social engineering to get any number of employees to disclose that information. Another is to directly approach our target with an email.

His company email is the point of contact for the bird watchers forums, so he is expecting to see bird watching related stuff on this inbox. Using the Website we just created we add a little piece of code to the page that can extract some of the information we need. We then can craft a very convincing email directing the target to our site.

If this works, then we’ll have a file sitting on our server with enough information about his browser and system for us to be able to pinpoint a vulnerability that can be exploited. On top of this, it’s often safe to assume that large corporations and organizations don’t have the latest patches, so we can use 0day exploits as well and see if they’ll work.

A good thing to have at this point is a good attack that can be spread via a PDF or a Word document. Those two file types have a lot of potential for hiding exploit code that can leverage Adobe Reader and Microsoft Office, two products with a LOT of vulnerabilities. Another good technology to exploit is Flash. You’d be surprised at the things you can do with Flash. We could use the PDF or Word Doc on an email and the Flash on our Website.

Dry Run

Before we can try all of this on our target we need to perform a dry run. This will be used to not only test our code (Website, exploits, etc.) and our script (the social engineering script, the cover story,) but to also polish the whole plan and have contingencies for every part of it. What if the exploit doesn’t work? What if the target is not interested in the expo? What if he is using a web browser that has been patched? What if his secretary is the one answering the phone? A lot of things wind up not working out.

We need to go through the whole attack and figure out the weak points. If you can, bring someone that isn’t involved into planning and have him/her poke holes in the plan. You’ll be surprised at the things you miss when you’re extremely focused.

Now comes the tricky part. We need to replicate the target environment as closely as we can. That’s when the initial digital recon comes into play. We performed informational scans using one of many tools. We should have enough information about their internet facing network and some of the employee’s workstations in order to prepare our own copy of those systems. Grab a good server, install a virtual machine manager and start cracking.

Do they use Linux for their mail server? Do they use Windows with IIS for their website? Do they have Firewalls? Routers? Any other security device that can be detected? It’s important to note that in most cases, an informational scan will return minimal information, so it’s necessary to go head first into gathering more. This can be done by either calling or visiting the target.

Once we have out servers and workstations ready have your team play the parts and have a person not involved in the planning play the target. Follow the flow and see where it fails.

Stay tuned for Part 3, where we’ll execute the operation and see how to react when things don’t go as planned!

In this three part series we’re going to go through what it takes to perform a security vulnerability assessment that would ultimately end in the penetration of the target.

In part 1 we’ll talk about planning the operation, digital & physical recon and some of the kit we might need. In part 2, we’ll analyze the information gathered during the recon, plan and rehearse the operation and perform a dry run. This will test what we’ve learned and polish our plan. In part 3 we’ll execute the operation and plan for contingencies when things don’t go as planned.

What is a Red Team?

In the world of computer and information security, a red team is a group of highly skilled experts hired to provide adversarial services, i.e. to act like attackers. The goal of red team operations is to continuously challenge the plans, defensive measures and concepts of the organization.

These exercises result in a better understanding of possible adversaries and help to improve counter measures against future threats. Red teams are also tasked with probing physical security measures, sometimes as part of an overall digital/physical assessment and sometimes as a project of its own.

This series will focus on a combination of both physical and digital vulnerability assessments, as well as penetration of the target. This way you can see the techniques needed for both.

It is important to mention that each project/operation is different and the techniques described here will have to be adapted, changed or completely dropped based on the target. It is also important to mention that I will keep the technical details to a minimum. I’m doing this for two reasons; one, because not everyone reading this has a background in computers and two, because I don’t want to show the bad guys any technique they can use.

With all this in mind, let’s begin.

The Project

We’re tasked with penetrating the internal network of a fortune 100 company. If successful, we are also tasked with acquiring highly sensitive marketing documents.

There are many ways to try to penetrate their network and systems but we are going to focus on two. We will try a purely digital approach first, if it fails, we’ll try a physical approach that might give us a way into their network.

The digital approach usually entails scanning their public facing systems in search for a vulnerability to exploit, or a more direct approach that includes social engineering (hacking people into providing information) and a well placed weaponized document or attack code. A physical approach is just that. Physically penetrating the premises, trying to either get to a computer inside or connecting your laptop to their network and trying to find the documents. More often there’s a backdoor to access the network remotely from the convenience of your office/TOC.

Planning and Initial Recon

The initial recon and planning phase is critical. Some operations fail because of lack of information about the target, others are highly successful because the recon was carefully performed and all the possible weak points were identified.

Digital Recon

Let’s start with information in the public domain. Open source intelligence (OSINT) gathering is our first priority. You’d be surprised how much information about companies, their employees and the technology they use in their networks is really out there.

We can start using Google, Yahoo, DuckDuckGo and other search engines, however it would be good to use a search engine aggregator that can search across all search engines at once. It’s also useful sometimes to use the local search engines if we’re targeting a company or organization in another country.

There are services that provide a list of local search engines, or you can try local Google or Yahoo versions. For example, for russia try google.ru and ru.yahoo.com, for Argentina google.com.ar or for France google.fr. You get the picture.

We begin by searching for the company’s web sites, domains, press releases that might indicate the use of a certain technology, names of employees, high level executives, etc.

Press releases are a great resource, for example, they usually detail new products with names of technology, executives and other snippets of information that we can use for a social engineering approach.

Next we search for emails. We can type “@companydomain” and usually you’ll get a list of sites where people used their company email address for various tasks. This is a great source of information about employees (possible targets for social engineering) but more importantly, a lot of times IT people go to technical forums to request help about the technology they are using. It’s a great way to start mapping their operating systems, web servers, databases, firewalls, routers, etc. without having started the mapping part of the recon.

OSINT will usually take a few weeks. We want to gather as much information as we can and built a logical map of what we now know: people, systems, products and connections between all these.

Another great way to gather information is to call the company phone number off hours and if you get a voice mail probe for default passwords. Chances are you’ll get several hits. You can get a lot of good intel via this method. Getting the company’s different phone numbers is relatively easy.

The next phase of the digital recon is mapping the public facing digital assets. We want to know their digital footprint: IP address ranges, domains, websites and security devices if possible. This should be done very carefully, we don’t want to tip their security devices that we are mapping them.

We start searching the different “whois” databases for their different IP ranges. Since our target is a fortune 100 organization, chances are they have acquired a set of IP addresses that is static to that company. Knowing the IP ranges will allow us to also map those servers that might be connected to the internet but do not necessarily provide services (like a company website or e-commerce site do). You would be amazed at what you can find sometimes. In one project I found a server that had a Telnet service up and running, needless to say it was my way in. A developer enabled this for a project and forgot to disable it later. Humans… They are always the weakest link.

We want to map the ports open, the services behind those ports, operating systems, web server software, database software, versions of the software, email servers, file transfer services, etc. Once we have this information we can perform a very simple and fast vulnerability assessment and see what is exploitable right then and there. Sometimes this is all it takes, but most of the time it’s more complicated than this.

There are countless tools to do this, some open source, some commercial. Check online for more information.

Physical Recon

Now for the physical part. If we’re considering the possibility of a physical penetration we need to recon the target.

I usually divide the recon into two different methods: covert and overt. In a covert recon you’re usually either away from the target, using binos or scopes to surveil the target, or you are performing recon at night completely hidden. An overt recon usually means walking into the target’s premisses and pretending to be someone you’re not, while trying to collect as much information as you can by either observing or taking to people (social engineering).

During a physical recon I would also perform a scan of the premisses for any wireless, bluetooth or other RF that I can find. Many times during projects I found open wireless access points and routers. I logged right into them and used them as a channel in. As part of the kit, it’s useful to not only have a lightweight laptop during a physical recon, but also a wireless signal finder/scanner, wifi antenna booster, a good set of stumblers and other software to map all the signals you might find.

I found it very useful to perform a physical recon with a team of 2 or 3 members. You can send one around the premises to check any possible ways in (in case we need a covert entry), while the others maintain a tight surveillance. Key items to map are dress code of employees, badges or IDs they have, working hours, guards and their schedule, different access points to the building, daily activities (day & night) and also paying attention to trash collection, product delivery, etc.

Equipment

A good camera, scopes and other observation gear is needed here. Usually hunting stores have great gear you can get. All this will provide a clear picture of what’s going on around the building, but not inside. Like I mentioned, sometimes you have to perform an overt recon.

For these, I find it very useful to have a small voice recorder and have it on as soon as you walk in. It will record any information people might give you, while also recording atmospherics: a loudspeaker announcing company news or the name of an employee, normal working noise, etc.

Also carry a USB or a small wireless card with you, sometimes during the recon you’ll find yourself in the position of having a brief access to a computer inside the company. Plug that wireless router/card (pre-configured to a certain name/password) and try connecting to it later when you leave. Carry a set of lock picking tools, I like the Bogota Entry Toolset. It’s small, easy to conceal and in most cases work like a charm.

Also, I like to carry a small LED light, which is useful to check inside server racks and other tight spots, a small knife, a pen and a notepad.

Pen and paper might seem a bit outdated but it’s a great way to create a sketch of the site: doors, elevators, access points, guard and camera locations, etc. It’s is an invaluable tool for a physical recon.

Summary

We’ve just gone through the initial information gathering and recon phase. This is a critical phase and can make or break our operation.

You need knowledge to perform the technical part, but overall you have to be creative. Think outside the box, think like an attacker, try to figure out what they would do to gather information. For example, large corporations usually have a cafeteria or restaurant inside their building. This is a weak spot during lunch time, with a lot of activity. You could sneak in dressed as a cook, or even a server and you’re inside.

Bend the rules.

Stay tuned for part 2 where we’ll talk about analyzing the data gathered during our recon, as well as the planning and execution of a dry run!

Editor-in-Chief’s Note: This post was written by Brett and Kate McKay and originally ran on The Art of Manliness.

In a previous edition of the Man Knowledge series on Art of Manliness, we discussed the fascinating history of invisible ink. In doing the research for that post, we came across an equally interesting tool in the spy’s bag of tricks: the concealment device.

Invisible ink was handy for sending secret messages, but sometimes spies and soldiers needed to hide other kinds of objects, or simply wanted a double-layer of protection for their coded missives.

Concealment devices or CD’s looked like normal, everyday objects but actually contained a secret compartment or cavity, inside which could be placed film, notes, eavesdropping equipment, and various other types of contraband.  They were used to smuggle escape aids to prisoners of war, exchange information with friendlies, monitor the enemy, store secrets for safe keeping, and transport items without arousing suspicion.

Concealment History

The earliest quasi-concealments were used by the ancient Greeks and Romans. The Greek general Histiaeus wrote a message on the head of his servant, waited for his hair to grow back, and sent him on his way. This was, of course, not a very effective method of communicating something that was even remotely time-sensitive.

Roman generals placed secret messages in the bandages wrapped around the limbs of wounded soldiers or sowed a message into the sole of a courier’s sandal. In later centuries, dignitaries hid their correspondence in barrels of beer and hollowed out bullets.

Such rudimentary methods of concealment were used for hundreds of years. But the fabrication of concealment devices really became a high art in the 20^th century, particularly during World War II and that Golden Age of Espionage, the Cold War.

Active and Passive Concealment

Modern concealment devices can be classified into two categories: active and passive.

Active concealments are objects that contain a secret compartment while also retaining their normally intended function. A lamp that you can turn off and on but also contains a secret compartment in its base would fall into this category. An object like a secret book safe, which serves only as a hiding place, is a passive concealment.

Regardless of whether the CD was active or passive, it had to be something that would not arouse suspicion if the agent was searched or scrutinized–an item that the person would normally have in their apartment or carry around.

Concealment devices also had to look indistinguishable from the non-modified versions on which they were modeled. To accomplish this, intelligence agencies like the CIA’s Office of Technical Services created labs capable of fabricating everything from furniture like bookshelves and wine racks, to leather goods like wallets and handbags, to books and electronics–all from scratch. The lab consisted of a myriad of special shops that were each staffed by expert craftsmen–carpenters, leather workers, bookbinders, tailors, seamstresses, and more–who specialized in a certain area of production.

These craftsmen, along with very imaginative technicians, dreamed up and brought to life a variety of extremely clever concealment devices. Here is a look at some of the coolest and manliest of the bunch.

Pipe

During WWII, a pipe was made with a secret cavity that sat in the pipe’s bowl, right below the compartment that held the tobacco. You could stash your secret message in that cavity, and if you were about to be compromised, you simply twisted the pipe stem and the top compartment opened, allowing the burning embers to destroy the message.

To accomplish a similar task, agents later used flash paper that would instantly and smokelessly burn up when touched by a cigarette. And when smoking became less popular, spies used water-soluble paper that could be dissolved in coffee cups or even swallowed.

Another pipe used by later spies functioned as a passive concealment; it couldn’t be smoked as it housed a countersurveillance radio. For the agent to listen in on the enemy’s conversations, he merely had to bite down on the stem; sound was conducted through the user’s bones (they currently make swimming headphones that work in a similar way).

Playing Cards

If a pilot was shot down and taken prisoner, but hoped to escape, he needed to know the lay of the land–where he was and how to get to safety. Thus secret maps were an important tool for the fighting man. But paper maps were hard to hide; they crinkled if you were getting a pat down. So Christopher Clayton Hutton, working for the British MI9, came up with the idea of printing maps on pieces of silk.

The maps were sewn into the lining of pilots’ bomber jackets, stashed inside a secret compartment in the heels of their boots, or rolled up inside pencils and even cigars. Hutton also created maps on a special tissue paper made from Mulberry leaves. It had the consistency of onion skin, but was very durable and could be soaked and folded without becoming damaged or creased.

These tissue paper maps were sandwiched between the fronts and backs of playings cards, and could be revealed by wetting the cards and peeling them apart. Each of the 52 cards contained a segment of the map, while the Jokers included the code for how to put the pieces together. Maps were also printed invisibly on handkerchiefs and could only be revealed when soaked in a certain chemical.

Compass (Various Forms)

Even if a POW had a secret map at his disposal, without a compass, getting back to safety would have been a challenge. Thus hidden compasses were one of the most popular concealments during WWII, and they took a variety of forms. Compasses were hidden in pipes, brass buttons, bars of soap, and even unshelled walnuts.

Innocuous-looking items were also made with parts that could function as compasses in a pinch; for example, the clip of a pencil was magnetized and when removed and balanced on the pencil’s tip, would point north.

A tiny compass concealed in a fountain pen. The nib and clip were also magnetized and could function as compasses when suspended from a thread. Other escape pens held maps, currency, and dye to color clothing,

These standard-looking razor blades contained magnetic needles. When the razors were placed in a cup of water, they would spin so that the arrows pointed north.

Board Games

The British company that produced the aforementioned silk maps, John Waddington LTD., also happened to own the rights to produce the American Parker Bros. game, Monopoly, in the UK. German prisoner of war camps accepted items that fell into the category of games and amusements, and so Waddington’s expanded their concealment device catalog to include rigged Monopoly games.

The game board was created with slight indentations which were filled with low-profile compasses, files, and maps. The board and these depressions were then covered over with the printed label. Also, sandwiched between the fake Monopoly money was real currency from Germany and surrounding countries for the men to use on the lam. Recipients of the games were alerted to the fact that the game was a rigged one by a small red dot on the free parking square.

Monopoly boards were not the only games used as concealment devices. Shortwave radios were smuggled in inside hollowed out cribbage boards as well.

While it is commonly thought that these rigged games were delivered by the Red Cross, the supplies from that organization were too vital to risk the Germans discovering the deceit and thus having a reason to refuse their packages. The games were actually given through fictitious charitable groups that were made up for the express purpose of smuggling contraband.

Shoes and Boots

A shoe with a hollowed out heel is one of the oldest and simplest concealment devices. The first heel compartment was created in 1901, and Houdini used them to hide keys for his escapes.

During the war, Clayton Hutton designed flying boots for RAF pilots that had a secret compartment in the heel, inside which could be stashed small food packets or maps. The leggings could be removed as well, turning the boots into civilian-looking brogues.

Hutton also stuck cheese wire into the laces of other shoes for the prisoners to use in cutting through metal bars.

Shaving Cream and Brush

The items contained in mess kits were good candidates for concealment devices as they seemed very ordinary for a solider to be carrying, and they would be accepted into POW camps.

Shaving cream and toothpaste tubes concealed capsules which contained messages or maps. The top of the tube contained a bit of cream so that if the tube was tested, it would appear to be a normally-functioning item.

Metal shaving cream cans were made with false bottoms that included a secret compartment. (Such “diversion cans” are still sold as household secret safes.) And shaving brushes with hollow handles could be used by spies to hide a roll of film.

False Scrotum

Picture thankfully unavailable

In the 1960s, a false rubber scrotum was developed which hid a sub-miniature escape radio and was placed over an agent’s real scrotum. It was a very safe concealment; even during a strip-search, inspectors were unlikely to give an agent’s balls a very close look.

Automobile

During the Cold War, the CIA altered cars so that the fuel tank was smaller, and the remaining cavity could be used to stash a spy they were smuggling out of a country.

Combustible Notebook

The combustible notebook isn’t really a concealment device per se, but it’s so cool we had to include it. Pull out the pin and it starts to combust, like a smoldering grenade. I would have loved to have taken notes for my college classes in one of these and then removed the pin after finals to watch it burn.

Cork

A bottle of wine was an ordinary thing to bring to a function and exchange with someone else, and the cork was very unlikely to be inspected.

Dead Animals

The “dead drop” method was used when secret agents wished to exchange information without ever meeting in person. One agent would drop off a concealment device on the side of the road or in a public park, and another agent would come by later and casually pick it up. Because they were left in public places, dead drop concealments had to be made from things that would fit into the area and wouldn’t entice other people to take or even touch them. Thus, the more repulsive a dead drop concealment, the better. So while hollowed out bricks, tree limbs, and soda cans were sometimes used, animal carcasses were the most popular vehicle for this espionage tactic.

The animals were killed, gutted, and sometimes freeze-dried. A cavity was prepared and closed up with velcro. The animal could be placed in a can and given to the agent to be used at the appropriate time. When that time came, the animals were stuffed with anything from code books to cameras, velcroed shut, and dropped off. The agent might also add some realistic-looking OTS-crafted rodent guts to the scene to up the yuck factor.

Of course while people might steer clear of the cadaverous critter, such a find was a cat’s delight. So the rodents were often sprinkled with hot sauce as a deterrent to kitty depositing a mouse with state secrets at someone’s doorstop.

The animal carcass dead drop was so effective it was still in use up until a decade or so ago.

Gentleman’s Clothing Brush

With its small size and close-focusing lens (the better to copy documents with), the Minox camera was popular in espionage circles and hidden in a variety of concealment devices, like this gentleman’s clothing brush.

The two halves of the brush discreetly locked together and could only be unfastened by inserting a pin into a camouflaged hole.

Skeleton Key

As if skeleton keys weren’t cool and mysterious enough to begin with….

Lighter

Lighters were very common items for a mid-century man to be carrying around, so it was a perfect candidate for transformation into a concealment device. Some, like the lighter above, were made with special bottoms that held a small secret cavity.

And in the 70s, as technology got better and listening devices got smaller, eavesdropping equipment was moved from large passive concealments like bricks to small active concealments like lighters.

Hollow Coins

Hollow coins were first used by Soviet agents in the 1930s to conceal microdots, soft film, and ciphers. Americans discovered the ruskie’s ingenuity in 1953, when a paperboy in Brooklyn dropped a nickel that surprisingly split open when it hit the ground to reveal a secret compartment within.

The coins had been traded back and forth between Soviet spies operating in New York City.

Other countries, including the US, used the hollow coin concealment as well. The reusable coins consisted of two pieces that were screwed together in a virtually undetectable way. To open the coin, you had to press and turn your thumb on the face of it (on the coin above from 1978, you pressed the tip of the eagle’s wing).

The incident with the paperboy reveals one of the downsides of the hollow coin concealment; since they look and feel just like regular coins, they were easy to lose, drop, and accidentally spend. Thus there could very well still be some out there in circulation (better check your piggy bank!)

Sources:

• Spycraft by H. Keith Melton and Robert Wallace
• The Official C.I.A Manual of Trickery and Deception by H. Keith Melton and Robert Wallace
• Ultimate Spy by H. Keith Melton
• BBC History
• Compass Museum

Editor-in-Chief’s Note: The Art of Manliness is a fantastic Website dedicated to uncovering the lost art of being a man. It features articles on helping men be better husbands, better fathers, and better men. Check them out and be sure to subscribe!

The advent of the Internet, including web-based banking, shopping, and all things financial, have created a popular culture that is at least trivially informed about cryptography. Most of us know to look for https:// or a lock icon in our browser before engaging in a sensitive transaction.

One major disadvantage of cryptography is that an encrypted channel sticks out like a sore thumb to an experienced digital sleuth. Enter the world of steganography, the art of hiding messages in plain sight and the advances in covert communication channels.

Using Photographs

The most rudimentary and widely known definition of steganography is hiding textual messages inside of photographs. If you think about today’s digital cameras, it isn’t uncommon for the average photographer to have inexpensive access to a 10, 12, or even 14 megapixel camera. An iPhone 4 uses a 5.0 megapixel camera that yields a .jpg measuring 2592 x 1936.

What if every 31,363 pixels were replaced with the byte equivalent of a character? That would yield a message about the same length of an SMS message, 160 characters. How many people would be able to visually detect the degradation of the photograph if 160 pixels out of 5 million were changed?

1s and 0s

Consider this: a bit is either a 0 or a 1 in the digital realm. A collection of just 6 bits provides 64 different combinations—enough space to include the upper-case English alphabet, numerals 0 through 10, and 28 open spots for punctuation; including a comma, period, colon, space, and carriage return.

Now consider an innocuous twitter account, where the posting includes an extra space after the last period to represent a 1, and no space to represent a 0. Every six tweets can effectively be mapped to a character. Sure, message delivery is slow in this arbitrary example, but the point remains. Even tweets and Facebook posts can carry secret messages!

Steganography Applications

Both the iPhone and Android offer users low cost steganography applications. For example, Spy Pix and Hide It In are two applications that each allows the user to hide one photograph inside of another. Personally, I’m skeptical that a $0.99 app implements a sophisticated enough algorithm to remain undetected from a nation state, but it is probably good enough to fool a run-of-the-mill PI if used judiciously.

If you’re interested in something along the lines of free, that doesn’t require an app, check out Mozaiq to encrypt any image on your hard drive and even assign it a password. To decrypt an image, simply visit this link.

The reality is that modern steganography techniques are far more superior to replacing every n bytes with a character, or ending a sentence with or without an extra space. Each pixel is comprised of RGB values, or red-green-blue. In graphics circles, we describe them as bit planes. In effect, every picture can be reduced to its red plane, green plane, and blue plane—and there are other ways distill a photograph beyond this rudimentary example.

Imagine bouncing around, seemingly randomly, across the bit planes, changing a bit here and a bit there when encoding a secret message into a photograph. Detecting bit plane manipulation in an automated fashion is more difficult than detecting outlying pixel values—but steganalysis is possible.

Steganalysis

Steganalysis is the practice of inspecting a medium to determine if it carries secret content. The Steganography Analysis and Research Center (SARC) focuses exclusively on steganography research and the development of advanced steganalysis products and services. According to their website, their clients range from the US Department of Defense, the CIA and metropolitan police departments. Suffice to say, as steganography advances, so do steganalytic techniques for detecting the use of steganography.

Consider this ultra-simplified example of steganalysis. Histograms are two-dimensional graphs that show how many pixels in an image contain a certain value. Knowing that the range of a byte is 0 to 254, inclusive, a histogram iterates over every pixel in the image and looks at pixel brightness.

The resulting bar graph is typically used by photographers to determine the distribution of tones inside of the photograph, from the darkest on the right to the lightest on the left. Randomly changing n pixels to a character value could (theoretically) stand out in a histogram.

Steganography and Terrorism

Right about now, you’re probably wondering if terrorists have considered using steganography to communicate among disparate cells. If you’re itching to read more about how terrorists might be using steganography, Wikipedia provides an interesting review of Alleged use by Terrorists.

While irrefutable proof of modern terrorists using steganography is hard to come by, the reality is steganography isn’t new. In his excellent book The Codebreakers, David Kahn describes how German spies in World War II used steganography on a wide basis.

So, the next time you see a photo on Flickr—maybe, just maybe, the photograph isn’t really a photograph!

Editor-in-Chief’s Note: Be sure to check out our article main images from here on out on itstactical.com. We won’t be using passwords, but you’ll definitely want to give decrypting them a shot with Mozaiq. I’ve already said too much!

Today I’m going to share some techniques with you that I came up with for creating dead drop devices during a previous SCG International Tactical HUMINT Operations course.

One of our taskers at the end of one class day was to create two dead drops by the next morning. This assignment was give to us at around 6 p.m., so with limited time, I did what anyone wanting to create dead drop devices would do. I hit the local Wal-Mart.

Dead Drop Devices

There are some great commercially available dead drop devices available out there, a few of which we’ve reviewed from Spy Coins. While the commercially available devices work great, there’s just something neat and rewarding about creating your own.

For a brief history on dead drop devices and their use, I’ll direct you to a previous post of ours where we went over some specifics and usage. Suffice to say the purpose of one of these devices is to covertly or overtly leave a message for another person without actually meeting in person.

During the SCG HUMINT class, we had to utilize dead drops to leave and retrieve messages to further our intelligence gathering against the opposition. Just using your local Wal-Mart for the necessary supplies, I’ll take you through a few of the dead drops I created and how they’re best utilized. Be sure to check out the video at the end of this article too!

Creating your Dead Drop

Imagine with me for a few seconds and picture some places that you think could work for both covert and overt dead drop locations. Keep in mind that these locations must be somewhere that doesn’t cause suspicion when being left or retrieved. Perhaps a public bathroom? Walking the dog and tying your shoe?

While you can get creative and make your dead drops ahead of time, it’s much better if you know where and how you’re going to leave your message and mold your device with those things in mind.

Materials Needed

One item I’ve found tremendously beneficial when creating dead drops is a contact lens case. These are about a dollar and you get a right and left container that can be broken in half, creating two dead drops. Another thing I’ll mention is magnets, which can be both a blessing and a curse. A dead drop that I didn’t show is one of those magnetic key hider boxes.

These are great until you go to hide your drop and realize the location you just knew would be metal that a magnet would stick to (ferrous), turns out to be aluminum and it falls off. Luckily, I had a contingency plan and a second dead drop ready to go when this happened! The last thing I’ll mention is Velcro strips or adhesive strips, both work great on the back of a dead drop to quickly leave them underneath something like a sink in that public bathroom we talked about.

Here’s a break down of everything I used for the dead drops pictured in this article:

• Brut Deodorant Stick
• Contact Lens Case
• Green Floral Foam
• Sewing Pin Cases
• EZ Dose Pill Pouches (zip locks)
• Floral Moss
• Craft Paint (2 shades of grey)
• Sponge Brush
• Modeling Clay
• X-Acto Knife and Blades
• Velcro Strips
• Pocket Knife
• Scissors
• Hot Glue Gun

The old Dead Drop in the Deodorant Trick

The first drop I made was something I just wanted to attempt and thought would not only make a good dead drop, but also a great hiding place. As I was searching for useful items at Wal-Mart I stumbled upon the Deodorant and had a lightbulb go off in my head when I saw the Brut canister.

To create this drop, I simply pushed the deodorant all the way up until it broke free of the push-pop like canister. I then cut off about 1/4 of the deodorant stick using a knife. Wanting to store a contact lens case half inside, I knew that simply dropping it in and putting the deodorant stick back down would leave it totally obvious and unusable if anyone ever looked inside.

If that was my goal, I’d just completely remove the deodorant and have a large storage area and replace the cap. The problem with this is that when creating an overt dead drop, like in this case, you want to ensure it remains as true to it’s original purpose if it’s ever discovered. If anyone stumbled upon the Brut in question, they’d never suspect that it wasn’t regular deodorant (well maybe after reading this they would).

Fake Rocks and Grass Mounds

These next two drops are a bit harder to construct but are still relatively easy. The core of these rely on that green floral foam, while the floral foam I show in the images is square, these two drops used half-circle shaped floral foam that was found right next to the square stuff in the floral area.

What’s great about floral foam is its ability to be shaped into whatever you need. With the grass mound drop I didn’t do too much shaping, just hot glued on some floral moss and sticks I could find outside. If I had more time I would have gathered foliage that would match the area I planned to leave the drop.

Floral moss works well and will blend in with most grassy areas provided it’s not dead grass. On the bottom of the grass mound drop, hollowed out and shoved a contact lens case in that fit snugly but could still be removed. Again, a benefit of the foam is how easy it is to shape.

The fake rock was something that definitely took me a long time to sculpt. I started using my fingers to create the angular areas of the rock until I was satisfied that it looked like a rock. I then used two different shades of grey craft paint to dab on the color using a sponge brush. A single color just wouldn’t have looked good and I feel the lighter shade of grey really adds to the realism.

For the last step and while the paint was still wet, I grabbed some sandy dirt from outside and sprinkled it over the fake rock. After drying the sand stuck much better than I’d hoped and again added to the realism.

Notes

Hopefully this article’s made your imagination run wild, thinking of all the things you can create your own dead drops for. They don’t even have to be purpose built for dead drops, your projects can even be hiding places for your valuables that hide in plain sight. The problem with all those overt containers you see, like the hollowed out books or cans is that it’s the first place someone with any knowledge on the subject is going to look.

Let me know what you think of the drops I created and your ideas for what you’re going to put together!

Photos and Video

I’ll admit I’m a bit of an organizational freak, but my wife and those that know me would probably say that’s an understatement. With that being the case, I knew I had to get one of 215 Gear’s Custom Tactical Bags to organize my entry tools.

The Custom Tactical Bag is the Gucci of entry tool bags. Nowhere have I seen a more comprehensive and modular way to carry method of entry equipment on the market today. Up until now, it’s been limited to throwing everything in a big bag, or trying to come up with your own velcro panels to mount all those little items.

While purpose built for carrying entry tools, the Custom Tactical Bag is functional enough to be used for just about anything, including medical supplies or EOD tools.

Custom Tactical Bag

As described on 215 Gear’s Website, “this project was designed from the ground up for one specific purpose, for the tactical organizing and employment of method of entry tools.”

Through the use of custom designed panels, pouches and accessories, the Custom Tactical Bag fills a large void in carrying entry / lock picking tools and does so with a well thought out design that makes efficient use of velcro to bring tremendous modularity to the bag.

Description

The Custom Tactical Bag is smaller than it appears, but don’t let that fool you. It measures 16″ long x 8.5″ tall x 4″ deep and literally held everything I needed it to.

Exterior

Starting with the exterior of the bag, the first thing you’ll notice is the nice rubber-coated nylon webbing handle that provide a nice comfortable grip, despite any amount of weight you may be carrying. Moving away from the handle in either direction will land you at the ITW Nexus/Fastex buckles that allow the shoulder strap to be removed if unnecessary.

The adjustable shoulder strap itself is made from 1.5″ webbing with a contoured, slip-not backed pad that keeps the bag in place whether carried on a shoulder or in a messenger bag style configuration.

Moving to the backside of the bag reveals a low zippered-compartment running the width of the bag. This pocket opens to reveal a hook lined velcro field spanning the entire interior of the pocket for attaching small panels, or to take advantage of the well thought out drop cloth integration.

Measuring a whopping 36″ wide x 28″ tall the fold-out drop cloth not only neatly tucks away in this compartment, but also integrates a 11″ wide x 7″ tall loop velcro area that attaches directly to the inside of the compartment. This ensures that the stored drop cloth stays with the bag at all times and is ready to catch any metal filings or scraps that may get created from entry.

The drop cloth itself is very nicely made with heavy-duty pack cloth and bound edging all the way around. Definitely a feature that adds great functionality to the bag and doubles as a nice place to lay out your equipment.

Made from 1680 ballistic nylon for durability, the Custom Tactical Bag is sure to last a lifetime.

Interior

Accessing the interior of the bag is handled by a clamshell opening on the bag. When carrying the bag, the opening almost seems wrong until you understand the true purpose of the bag and how filleting it open via the heavy-duty zipper allows full access to all contents.

Both the top and bottom inner lid feature hook velcro allowing the placement of any loop velcro backed panel manufactured. Some of 215 Gear’s panels offered are covered in a plush fabric, which also adheres very well to the hook velcro.

The true modularity of the bag lies with the removable main interior panel that allows twice as much storage in the same amount of space. The interior panel is also attached via a PALS/MOLLE connection and can be mounted in either of the three channels of PALS provided to make more room for bulkier items.

This is a great feature of the bag, as it allows some of the larger pouches to be mounted in a way that doesn’t cause the interior panel to ride over them and cause unnecessary bulk in the bag.

Last but not least are the ingenious panels and pouches that 215 Gear has designed to hold everything from bump keys to files for the fine art of lock impressioning. There are over 10 different panels and pouches to configure the bag however you’d like. How awesome are these?

Just take the bump keys you see in the photos of this bag, before I stumbled across the GP Panel #1 I was literally storing all 35 of those keys on a large binder clip ring. Each time I’d need a specific key I’d have to rattle though all of them to find the one I was looking for and then open the binder clip to remove one.

I’m also a huge fan of the GP Panel 2 and 3 which not only do an excellent job of securing a pick set case, but even hold a pair of vice grips extremely well.!

Equipment Carried

Here’s all the items, panels and pouches carried in this bag; despite the numerous items there are still plenty of places let for expansion. Worst case, I just change the configuration and have a brand new set up (Many of these lock picking items can be found at 215 Gear).

Bottom Side

• GP Panel 3 – Peterson Elite 4 Bypass Pick Set
• GP Panel 2 – SouthOrd Assorted Pick Set
• GP Pouch 3 – Security Bit Set, Pin & Tumbler Trainer Lock (For Practicing)

Interior Panel Side 1

• Stanley Mini Crow Bar – Shoved into unused PALS webbing
• GP Panels 11-13 (4) – County Comm Micro Widgy, Mini Multi-Tool, Lock Graphite, Peterson Bump Hammer Weight Kit, Rolled Aluminum Can Strips for Padlock Shimming
• GP Panel 4 – Wire Strippers/Cutters, Pens, Hemostats (curved and straight), Mirror

Interior Panel Side 2

• Adams Rite Slim Jim – Shoved into unused PALS webbing
• GP Panel 1 x 2 – Bump Keys, Featherweight Tension Wrench, SerePick Bogota Entry Toolsets
• GP Panel 10 – Warded Padlock Picks, Automotive Jigglers, Keys for Trainer Lock

Top Side

• GP Pouch 1 – Craftsman Screwdriver/Bit Set, Petzel e+Lite, Peterson Bump Hammer
• GP Panel 2 – Craftsman Auto-Lock Vice Grips
• GP Pouch 4 – Gerber EOD Multi-Tool

Coupons!

Before you rush off to 215 Gear and order a Custom Tactical Bag, they have provided you guys with some killer coupons for not only the Custom Tactical Bag Complete Kit, but Lock Picking supplies, lights, mag pouches and T-Shirts as well!

• Use code ITSCBkit in the coupon code section of checkout for 40% off the complete Custom Tactical Bag Complete Kit a new item set up just for this review that includes the bag and 1 of each panel and pouch. Valid thru December 7th.
• Use code ITSlocks in the coupon code section of checkout for 25% off all lock picking items, lights, mag pouches and T-Shirts. Valid thru December 7th.