Taking Advantage of Physical Access
by Wrangler
If you want to attack someone, you don't do it on CNN ✡. Rather, you plan covertly, go in quietly, accomplish your objective, and get out leaving no traces.
This methodology is standard operating procedure for hackers, military Special Forces, and anyone else with a clue. What follows is a brief lesson on how to hack a computer in a secure organization under certain circumstances.
The following givens apply to this discussion.
First, physical access to the target machine is required.
Second, the machine must not require authentication, i.e. it must already be "logged in."
Third, the available account must afford sufficient privileges to permit the user to physically attach hardware to the machine. On most computers running a variant of UNIX this will require operator or root account access. On computers running Microsoft Windows XP or 2000 every account can perform this task unless explicitly prohibited in the user policy.
Begin by purchasing a 256 megabyte solid-state hard drive. I bought one recently on eBay for around $50 plus shipping and handling. The typical unit measures 1/4 x 3/4 x 2-3/4 inches. The unit connects to the computer using any available Universal Serial Bus (USB) port. Any computer that has enabled USB ports recognizes the hardware. Driver installation is automatic for Windows XP and 2000 machines, courtesy of Microsoft's "Plug and Play" mechanism. The drive will appear as a removable disk.
For machines running UNIX with USB compiled into the kernel, no driver is required. However, formatting, mounting, and unmounting the drive requires full administrator (root) privileges. The drive can be pre-formatted with various file systems for Windows or UNIX machines depending upon what machine you intend to target. Format the drive with one or more file systems prior to reaching the target location.
These new solid-state USB drives are virtually undetectable by the hulking giant metal detectors used to scan people who enter and leave corporate and government buildings. Dismantle or modify the sole or heal of a running shoe or dress shoe that will accommodate the hardware.
To infiltrate the device into the target location, upon arrival at the target casually toss your suspicious cellular phone and deadly car keys into the plastic tray provided and walk through the metal detector without so much as a second look. If the target location requires you to remove your shoes, as some federal buildings do, conceal the device in a metal coffee mug by wrapping it in a plastic bag, effectively "floating" the device inside the metal container, which will appear to be empty.
In the unlikely event that security personnel open the container, act surprised, apologize, and retreat to return the offensive device back to your car.
Once you have infiltrated the device within the confines of the building, it is a simple matter of waiting for an opportunity. An unattended workstation that is not properly secured and a couple of uninterrupted minutes and the data, confidential or otherwise, are yours for the taking.
Surprisingly, the one shortcoming of using these devices is not the gizmo itself. Rather, the target computer's hard drive will be your biggest obstacle.
The flash memory chip inside the solid-state hard drive can read in the data as fast as the computer can hand it over. Hard drives, however, operate much more slowly, make noise, and usually illuminate a light when they are in operation. Additionally, the presence of the USB port on the front of the machine, such as with some Compaq workstations, will make the data transfer somewhat conspicuous since some solid-state flash disks light up when connected.
To implement the data transfer, a variety of options are available.
You may choose a commercial product, such as Symantec GHOST, and attempt to copy the entire drive (provided that the solid-state disk can accommodate the target hard drive's capacity).
Alternately you can utilize other software, perhaps custom built to not show up in the Task Manager window, and grab data at your leisure.
The data capture can be scripted if you are familiar enough with the target machine to identify the data of interest beforehand. If you will have uninterrupted access to the machine over a long period of time, this is the best method since the software can be written to perform the data transfer in a less obvious manner. Another option available if the machine will be accessible over a long period of time is to utilize a keystroke monitor and capture any username and password combinations that the target may enter.
Recently, I attempted this tactic on an unsuspecting acquaintance. While distracting the target, I inserted the solid-state hard disk into the USB port on the back of their PC. The Windows operating system automatically recognized and installed the drive.
Next, Windows automatically loaded a pre-written script, named autorun, from the flash disk. The script proceeded to copy the workstation's My Documents folder and all existing subfolders while the target and I were away from the office.
Back in the office, when the opportunity presented itself, I removed the hard drive from the USB port. The target computer displayed a dialog box indicating that removing a drive without detaching it first is not recommended. I quickly checked the "Do Not Display" box and clicked the O.K. button. With the flash disk in my pocket, I walked away undetected.
What can be done to defend against such an attack?
Since most organizations will not abandon Windows, they need to ensure that their existing network security policy prohibits users from attaching any hardware to their machines. Site security needs to be educated and informed about the technology so that they can be more vigilant.
Last but not least, employees must be trained to not leave their workstations unattended for any period of time, especially when non-employees are present in the organization.
