Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/18/2007
08:00 AM
50%
50%

Let's Wrestle for It

A grab-n-go with a suspect employee's laptop turns unexpectedly physical

Our company specializes in performing information security assessments and penetration tests; we pride ourselves on our expertise in techniques like social engineering. But frequently we are retained to investigate a suspect employee that might be doing something malicious or questionable on a company network. What was social can turn physical... Let me explain.

To determine if the employee is doing something illicit, we look at the person’s computer remotely, watching the traffic coming and going, and logging events. But occasionally we run into a suspect who's computer savvy, knowledgeable about digital surveillance, or paranoid beyond compare. More then often the person knows he is suspect, so asking them to relinquish data or a company-provided laptop becomes difficult. In this type of scenario we are forced to social engineer our way into that person's space to get a closer look. Unfortunately this is easier said than done, and occasionally this escalates into physical confrontational with the person of interest.

Even after several years in this industry, we never cease to be amazed at what intelligent people have tried to pull off using their computers. That's topped only by the irrational behavior that follows when they're caught.

Case in point -- a large corporation recently retained us to investigate an employee suspected of stealing from the company. The executives who hired us indicated the person was extremely computer literate and carried an executive level position. They asked that we be as surreptitious as possible, trying not to alert him to what we were doing, as well as minimize the impact to the company in the event nothing was found.

They were concerned about his outside business interests and worried he might be using their resources and company finances for personal gain. The employer was also concerned that if we asked for the computer as IT staff or contractors, he would destroy the contents of the drive or possibly the entire computer. Numerous efforts were made to remotely look at his company provided laptop, all of which failed. With permission of the employer our goal then became to steal his laptop when he was in the office.

This is far easier said than done. Most people would put up a fight to stop their laptop from being stolen... Try this with someone who knows he could be incriminated with the data on it.

Posing as building maintenance, we were armed with tool belts, a ladder, and other custodial devices. Our goal was to position ourselves by his office, appear as if we were servicing something in the ceiling, then grab his laptop and make a run for it. To minimize any involvement of employees in the office we planned the attempt at quitting time, hoping that the majority of the office had left. Our suspect frequently stayed late so his hours worked to our advantage.

To prepare for our success, failure, or any mishaps our client was on high alert. We set up our ladders and equipment conveniently close to our suspect's office. Our disguises apparently were working since he appeared uninterested in who we were and what were doing. As he answered a cellphone call he rose from his desk and proceeded to walk out of his office, at that point we went in and grabbed the laptop.

Our success was short lived when he turned and saw us walking out with his machine. His polished, professional demeanor changed for the worst when he saw us trying to leave the building. He raced toward us and began trying to pry the laptop from my colleague's hands, while cursing and calling us unprintable names.

It became a tug-of-war between us and him. Finally my colleague was overpowered and lost the laptop. I was amazed at how strong this guy suddenly became, since he had to be 15 years older than my partner.

Our suspect rushed back into his office and proceeded to call security. I was puzzled as to what he was thinking, since the two "thieves" were still in his presence, not trying to escape after our failed attempt to steal his property. I knew the confrontation was not over, so preparing for the worst, we called our contact to explain what had happened.

As all this was happening we kept watching our suspect's behavior. He clutched the laptop in his arms and would occasionally crack the machine open and try to navigate the built-in mouse to do something; our assumption he was trying to delete content. When we grabbed the machine, there was no time to power it off. To discourage him from trying to use the computer, and for fear of what we thought he might be deleting, we made an occasional lunge at him and he'd slam the laptop closed.

Thankfully, when security arrived they had already been notified about the situation. As our suspect began ranting on how we tried to steal his machine, and that we should be arrested, his behavior deteriorated even more when security told him to relinquish the computer to us. He loudly questioned the security guards' role and demanded the police. Within minutes, two law enforcement officers arrived. After we told them our story and they validated it with our customer, the officers made him give up the laptop. His anger and frustration were plainly evident.

Once the laptop was in our possession, we began our digital forensics. Our results helped considerably in the legal action taken against their employee. We uncovered numerous instances of his misuse of company resources and finances.

After incidents like these, we always ask ourselves why an educated person, knowledgeable in information technology, would consider doing such things on a computer owned by his employer. Such events also remind us that people change into completely different animals when you take their data. The mild-mannered businessman or prim and proper secretary can quickly change with violent, irrational behavior -- not to mention superhuman strength. It's the part of the social engineering game that really keeps us on our toes.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18178
PUBLISHED: 2021-05-18
Path Traversal in HongCMS v4.0.0 allows remote attackers to view, edit, and delete arbitrary files via a crafted POST request to the component "/hcms/admin/index.php/language/ajax."
CVE-2020-20214
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.44.6 (long-term tree) suffers from an assertion failure vulnerability in the btest process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet.
CVE-2020-20222
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20236
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20237
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.