In 2011, a company challenged me to expose any security vulnerabilities. I was stumped. So another method I tried was to leave two USB keys in the urinal, eventually opening the company’s infrastructure. A company’s external infrastructure—including web servers, domain name, email and firewalls accessible from the Internet—is a primary target. So that’s where I started. A Certified Ethical Hacker like myself uses keystroke loggers, sniffers, denial-of-service, and remote controls to crack passwords and eavesdrop. Yet, I tried every trick in my toolkit to attack their firewall—the network was secure. That said, I had one more trick.
I’m going in
Companies with an impenetrable wall against external attacks are often surprisingly open to insider threats. Hackers can expose these vulnerabilities by predicting and exploiting people’s behaviours in a particular situation. We love to help others, which is known as prosocial behaviour.
First, I did a little recon using Google Earth to familiarize myself with the company’s building and grounds. Since the character I was playing that day was “me,” the walking stereotype of a friendly guy next door, I wore my usual garb: a pair of good jeans and a button-down shirt. Next, I drove to the facility. I walked into the front lobby and said to the receptionist: “This is embarrassing, and I don’t usually ask for this type of favour. Could I use your washroom? I knew I’d regret ordering that super-sized drink!”
She smiled—a good sign—and buzzed me in. Inside the men’s room, I confirmed it was unoccupied. I withdrew two USB keys from my pocket and placed one on top of the metal toilet paper holder in each stall. I strolled back to the lobby and flashed the receptionist a big smile.
Wait for the USB key activation
Back at my office, I waited patiently. Knowing that once someone found the USB keys, they would immediately plug them into a computer, I was prepared. As soon as that happened, a program on the flash drive would auto-run, establishing a remote connection to my laptop. This would give me instant access and the ability to ‘pass the hash’—and no, I’m not talking about the good ol’ college days here. At the same time, we would take the encrypted credentials of the computer’s owner and pass them to the company’s server, mimicking a standard login.
Before long, my computer sprang to life. I was in. With access to the company’s network, I could now cause chaos. I could extract usernames and passwords, interact with files, or even take screenshots of current activity on a user’s desktop.
Management was horrified
Company management was horrified to learn how easily I had hacked into their system by exploiting how people react in certain situations. My “Big Gulp” ruse was a success because, by and large, people love to be helpful. And it’s true—curiosity does kill the cat. A person who finds a random USB stick will wonder about its content and plug it in to find out. They do this 90% each time.
My backup plan should my men’s room story have failed was to tell the receptionist that someone had dropped this USB stick on the floor and then handed it to her.
Defending against USB keys
Leaving those USB keys in the urinal underscores that security involves more than just protecting your network’s firewall. Internal threats are real, and they aren’t all necessarily the work of a disgruntled employee.
Employees need to understand that security threats can be triggered in numerous ways. Companies should train on protecting against possible security threats masquerading as something perfectly innocuous—like the guy next door. A simple policy like mandating only one type of USB device for internal use might have prevented me from gaining access to the network.
Companies must also recognize when they have a problem—the sooner they know, the better the chances of minimizing the harm done. The good news is that most enterprises have enormous data scattered throughout firewalls, applications, routers, and log sources that are useful for determining what is happening in their networks. The bad news is that too few know how to aggregate and use that data.
What can security professionals do?
Security professionals must implement the technologies and processes that enable access to security logs and some log management to extract the information required to keep the infrastructure secure. Better yet, they can employ a Security Information Event Manager (SIEM) to grab and correlate data and integrate security data with identity and access information. That way, in our hacking incident, several alerts would have been fired off to security managers long before I accessed any proprietary data.
While it’s true that security threats have become more menacing, remember that security defences also have become more powerful. Ensure you take the necessary steps to protect your infrastructure and data. Remember to use USB keys in the urinals.
If you’re a business owner, VP of IT or IT director and want to test your security systems please visit www.cyologylabs.com for a no-obligation consultation.
Finally, don’t forget to download our mobile app, FRAUDSTER, which is available on Apple and Android. You can learn more at www.FraudsterApp.com