The dangerous case of the “koffiekoek” ninja
Every project I’ve worked on in the past, be it as a developer or an analyst, has one thing in common. A seemingly small detail that carries great danger. It’s a thing called “koffiekoeken”. A “koffiekoek” is a Flemish word that describes a sweet pastry that one would eat on a sunday morning with a cup of coffee. It’s also a common thing to bring to the office as a treat. A bit like donuts, but in a truly Belgian way. Now, you might wonder what a piece of puff pastry has to do with ninja’s, right? Read on…
You see, whenever you celebrate your birthday in Belgium, it’s common to bring a little something to the office to share with the colleagues. In about 90% of the cases, koffiekoeken are the go-to regale. But it’s also a form of punishment. We all have a way of teasing colleagues who don’t lock their computers. Some of us have seen their desktop icons replaced by a meticulously crafted screenshot or saw their screensaver replaced by rather particular imagery. In Belgium, chances are your ghost sends out an e-mail to treat coworkers to coffee snacks whenever you leave your computer unattended.
At a first glance, this may just be a harmless shenanigan between co-workers. However, when analyzed closely, the case of koffiekoeken uncovers a far greater danger. I like to use this specific case to illustrate one of the bigger issues in IT security: not knowing the danger. I do not like it because I love koffiekoeken. Don’t get me wrong, I absolutely love them. I love this case because it makes the underlying problem pretty visible and tangible.
The shenanigan works the same way every single time. Colleague A leaves their desk unattended for a brief while. While A is gone to grab a coffee, colleague B grabs the opportunity to open Outlook and redacts a new e-mail to the rest of the team:
After a couple of minutes, colleague A gets back to their desk. Still not knowing about what happened, colleague A opens their mailbox and sees 10 unread messages from the other team members. “Great! Thank you A, I’ll have an eclair”. “Awesome, love you too. Any chance I could have one with raisins and glazing?” The list goes on.
Now imagine colleague B had other — less innocent — plans with A’s computer. You see, A being the senior team member is known to have local administrator access on their computer in order to perform certain tasks. A goes away for a coffee and B goes in for a couple of keystrokes:
Colleague B just backdoored colleague A’s computer. Even if A would lock their computer properly in the future, B will still be able to log in to the computer to do whatever they want! There are different scenarios onwards:
- B eavesdrops on A’s conversations
- B steals sensitive data from A’s computer
- B conducts an attack on the company network and frames A for it
- Colleague A now treats all team members to koffiekoeken every single week in an automated way
The list goes on as the possibilities are endless. This, of course, is a pretty extreme example, but it’s also really realistic. To give you an idea, I once gave all team members free pizza as one of my colleagues left their PC unlocked for the 3rd time that month. When I sent the mail, the colleague was standing right behind me discussing matters with another colleague. Despite the short distance, he was oblivious of what I did 2 meters away until he got back to his desk. It was good pizza, but I could have done worse things if I really wanted to.
In times of rubber ducky USB sticks, a hacker can fire up thousands of lines of code in under a second. So from now on, no matter what you do, make sure to lock you computer, even if you are just grabbing a coffee for a minute. It’s in your best interest (and that of your team member’s weight).