everyone@company:~# echo “bad janitor“ > /dev/null
About “ephreet” (me)
Well everyone, for the sake of translation, reachability and editing capabilities I chose this as the first of a series of articles to be moved from LinkedIn.
This is really just a “train of thoughts” and will serve more as an introduction to what I like to talk about.
I am an Ethical Hacker and a System Engineer, job doesn’t always provide a way to actually be the first and so I try to be a researcher / bounty hunter / CTF player whenever I can. But maybe, more than anything else, I might be just a big classic nerd.
Side note: I am not used to writing in English anymore, so any Grammar Nazi out there is really really appreciated!
To the point
As I was saying this is a translation of this article on LinkedIn.
everyone@company:~# echo “bad janitor“ > /dev/null
Recently companies (Italian ones particularly) have undergone a strong Cyber Security awareness process, in large part thanks to really dangerous threats (see Petya, WannaCry, etc …).
Obviously, non-experts turn to third parties to obtain highly technological solutions and their interest is to have as many guarantees as possible and certainty of being safe (often the main focus is just to “abide the law”).
There is nothing wrong with this, these solutions are very effective and the guarantees they provide are plenty.
Now imagine: you buy the most modern car, with cutting-edge braking system, latest generation ABS, intelligent assistant. You drive it without a belt with the airbag off while writing on a cell phone while smoking a cigarette. Am I safe behind the wheel? (Tesla autopilot doesn’t count, don’t cheat)
The common sense and education of many of you will make you laugh at the comparison, because the exaggeration is clear, but I strongly believe that the missing piece is exactly common sense and computer science education, because in reality the comparison is very real.
You all know that you have to drive with fastened seat belts and working airbag, taking care to avoid distractions like texting. Many of you do it. You know why: the physical risk you are taking is clear.
You all know that you should have a certain behavior with regards to managing credentials, accessing workstations and managing IT equipment. Someone does, but it is often seen as unnecessary paranoia because the risk is probably not clear.
“… but I waste time…there are production needs…let alone someone attacks us…but it is more comfortable…”
If I am driving and I reply to some SMS or WhatsApp because it is faster than stopping on the highway, I know the risk I am running (to no avail).
The Bad Janitor
What I call “the bad janitor” is that physical threat that is underestimated or ignored by many (literal translation of the title, for the less l33t).
Mind that this is not intended to be alarmism, but awareness of topics that we all (should) know. We simply think of never being the victim of targeted attacks.
The only main reason we are not (victims of an attack) is that those who are able to do it (the attack) have no interest in doing it (money).
In the minds of many, a hacker looks something like this:
Often it is idealized like this (thanks Hackerman ❤):
Actually this is a more likely example:
What are we talking about?
Mainly of Social Engineering and Cyber Security (Physical Layer).
Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. (Wikipedia)
A vast majority of Penetration Tests are successful in a short time thanks to targeted social attacks or physical accesses, if within the scope.
The examples are the usual ones: a fake technician’s phone call to get credentials or other information, a USB stick found in the parking lot, someone who physically shows up in the company and gets physical access to the network or the workstations …
The point of the question is: we are in 2018 (it was when I wrote the article but it seems to still be relevant) and this type of attacks, the simplest, are still the most successful.
Practical examples
Social Engineering
Made simple: any practice that allows me to obtain physical access to the premises of a company, or to obtain credentials or other information via email, telephone or in person. Pretending to be someone else. Do we really need to explain it?
We all know where we are lacking, we are simply sweeping it under the mat.
Here is an example that once made a tutor during a certification (might have been OSCP, can’t recall now): he had to perform a penetration test for a customer, but the scope was limited and he could only carry out remote attacks without physically interaction in the company premises. Phone interactions with staff were also prohibited. While investigating he discovered that one of the employees was fond of philately and had long been looking for rare stamps. What he did was prepare a fake website where he sold these hypothetical stamps, and then write during working hours on a forum the employee was registered to using a work email address. The victim immediately went to view the site from his own workstation, a site that contained ad-hoc written malware that granted remote access to the workstation, thus allowing access to other resources within the network.
What is the solution? Computer Education: don’t forbid, teach why some things cannot be done instead.
Once you have some kind of access you can proceed with other activities …
Lock-picking
It is a very common technique practiced by many hackers also as a simple pastime: breaking the locks in an elegant way by acting on the internal components with specific tools (picks).
It isn’t about being brutal, it is more the physical counterpart of what a hacker does in a purely IT environment, that is to understand the intrinsic mechanisms of a system to manipulate them and circumvent them to gain access.
It’s like solving a Rubik’s cube, I could even recommend it as a hobby or educational tool for children to develop manual skills and sensory perception: it’s really fascinating.
Keep in mind that the practice itself is not a criminal activity: it is also taught in professional institutes for hardware to understand the internal mechanisms of the locks. Using it to access other people’s property is a crime indeed, as is the violation of computer systems.
The hypothesis is that there is an electric lock with a badge reader, no one who does not have an authorized card can access it. Pity that the lock is a simple one with pistons: there is no need to clone the badges or bypass the reader and the practice of lock picking allows you to open a lock without leaving a trace.
A penetration tester hired by the company to simulate a targeted physical attack will certainly have the skills to open a simple lock in its arsenal.
The solution? If the requirement of a badge reader is to limit access to restricted areas, then physical components like windows, locks and the type of wall must also be considered. (Yes, you all know the plasterboard right?).
Bad USB/Rubber Ducky/HID (Human Interface Device)
Like in the movies!
Common practice in a targeted attack simulation is the USB Drop: to let find one or more pen-drives in places of passage, trusting in a careless employee who would insert it in their workstation.
Other techniques might be, after obtaining physical access to the premises, the use of USB sticks or Smartphones suitably configured for connection to various types of devices.
We could perform HID attacks (simulation of keyboard / mouse commands) on unattended totems or devices, or insert a drive in a locked workstation to dump the logged user hash in a few seconds.
Knowing that these attacks exist and are possible is the first step towards conscious and responsible behavior.
These techniques that seem science fiction deserve a separate study and I will write a dedicated article to explain how all of this is actual reality.
Conclusions
Certainly I have not reinvented the wheel, probably the smartest part of the article is the title itself, but if someone gets the message this wants to be simple and direct: the anti-atomic bunker is of little use if we leave the door open. Pretty much literally and this includes being unaware of the risks.
The second purpose of what is written is that it serves as an introduction to other topics that I was studying, such as the use of USB Armory and NetHunter to evolve and deepen/widen USB attacks (this was at the time the article was written and now I should start over recovering notes etc, I will get back at those for sure when I have the time).
