In the past few years security contractors and other personnel have been engaged in VIP protection; from perimeter security and convoy protection to personal security assignments.
I’ve done this in the past. I received the training. However, since I am also a geek with red team and information warfare skills I also performed what I like to call VIP digital protection or VDP.

C-level executives, VPs, command and other high level employees or personnel are targets not only on the physical side but also on the digital side. Their laptops, cellphones, iPads, etc contain a wealth of information that can not only be sold for a lot of money, it can also represent a risk to national security.

I’ve performed both assessments and actual VDP several times. During the assessments you try to find how vulnerable your target is to leaking information. How secure are his or her digital assets, how easy is to connect to those assets and if there is any way to extract information. During a VDP it gets more serious. You are monitoring cellphone freqs around your protectee, your are monitoring any wireless the VIP might be connected to, you create frequency hopping protocols and apply the right crypto to the right channels, and sometimes you just plain jam everything around the person allowing only those freqs needed for him or her to communicate, thus creating a digital protecting bubble.

In this particular project I performed an assessment. The target was the CFO of a large corporation that was going to spend the next several weeks traveling around the world visiting the different branches and offices. Their security manager was worried that he was wide open to digital attacks because he refused to let the security department install full disk encryption on its laptop and to security harden its cellphone and OS.

So we set the project, I had seven days to play with him. The CFO didn’t know we were doing this.

I began following the CFO the next morning. He had a very easy routine: coffee in the morning in this cafe near his place then to the office (on the 2nd floor with a window facing the street) and finally to the gym for an hour before returning home.
I was armed with WIFI scanners, bluetooth scanners, a weaponized USB thumbdrive fitted to extract the contents of the Documents automatically upon being plugged, and many other programs and tools designed to break into things and extract information.

On the 3rd day and after having spent the previous two days examining my possibilities, I went to the cafe, ordered a triple espresso, open my laptop and waited. The cafe had free WIFI so a lot of people came there to read news and have the morning coffee.
The CFO arrived as usual by 7:30am and sat on a table. I began scanning the wireless network to see if I could spot his laptop. I also started scanning his phone for bluetooth signals.

And that’s when I found that his phone had a completely open bluetooth connection. His was an early smartphone with the usual mail, calendar, etc apps. His bluetooth had no password and was set to accept any connection. Worst yet, a special version of FTP that works with bluetooth was active as well. I connected to this phone and 5 minutes later I was downloading his emails, contacts, some documents and his calendar. I quickly review the emails and found some really juicy ones.
I then found his computer online, it wasn’t hard to spot it, it was named COMPANYNAME-CFONAME. Huh… Excuse me? Seriously? Anyway, it did have a personal firewall installed and it was not responding to port scans or other scans, however I found it did have IIS (Microsoft’s web server) installed and listening on port 80. It had ASP and other extensions installed with a wealth of unpatched vulnerabilities.

That was it, that’s all I needed to present the security department with evidence that their CFO was WAY wide open to digital attacks. In the course of half hour I found his cellphone was open to not only the extraction of information, but through the FTP service I could have uploaded a piece of malware and have it forward me each email he received on his phone for example. The same with the laptop. The personal firewall helped, but IIS killed it.

Securing your digital assets, especially those of high-ranking executives, is more important than your know. Listen to your security people. If they want to review your laptop, phone, iPad, just let them. It’ll save you from you later.

Side note: Later, when I presented the findings to the CFO I asked why he had the bluetooth open on his phone. He replied that he used to have a bluetooth headset and needed it for it but he no longer used it. The I asked why keep it open then. He replied: I forgot to turn it off and I didn’t think it was a problem anyway….
Yeah…