We were recently hired by a financial institution to assess their network security as well as to handle a special request to see how just far we could reach inside some of their facilities. The goal was for us to collect data and connect to their internal network.
The client felt its employees were good people and very customer-friendly, but almost to a fault. They were worried that some employees were too trusting and non-confrontational with strangers on-site. Customer service was important to them, but it was also necessary for them to challenge any outsiders performing services for them.
Together we devised a plan to check out the main office and two branch locations. My colleagues and I chose different roles for the primary and branch locations. For the main office, we posed as auditors from one of the Big Five accounting firms. Our objective there was to gain access to the facility and then commandeer a conference room, connect to the internal network, and then access open offices and collect data by flipping keyboards and grabbing sticky notes with logins, passwords, and any helpful data. At the two branch locations, I was to pose as a copier repairman as we had done during other gigs to get network access.
To increase our chances of obtaining helpful data, we decided to leverage U3 USB technology available in some of the newer memory sticks. For those of you unfamiliar with U3 technology, a U3 smart drive can make any computer your own PC. And when you unplug it, it leaves no personal data behind. We planned to use U3 USB technology for collecting data from the financial institution's devices. My colleague, Bob Clary, crafted a program that would extract the "My Documents" folder off the machine when the USB U3 thumb drive was inserted into a computer, and then copy it onto the thumb drive. This allowed us to collect useful data quickly and discreetly.
On the day of the caper, we donned our dark suits and armed ourselves with fake Big Five accounting firm business cards. (Our business cards always have our real names and contact data so in the event we get caught, explaining who we are becomes easier to the authorities.) When we entered the building, we approached the receptionist and introduced ourselves as auditors who had been directed by one of their people (who in fact was our contact) to work on-site. Unable to reach our contact, we were escorted to a large conference room. The employees said they had plans to use the room for interviews that day, but insisted we take it while they found another location. Once the door closed, my partner and I set up camp. He scoured the room to find a network jack to plug into while I conducted reconnaissance throughout the building.
Walking through the building is an important step in collecting information, but being discreet without drawing attention to yourself can be difficult. I started looking for a couple of key places the coffee break area and the restroom. Carrying a coffee mug and making frequent restroom trips always seem to give the appearance of belonging. When you walk through the facility as if you have a purpose, you don't usually raise suspicion.
Bob scanned the internal network from the conference room, and I poked around the facility for machines to connect my U3 thumb drive to. To the credit of our customer, almost every computer was positioned under a desk, with no easily exposed USB ports. So it seemed like a bad idea for me to crawl under a desk that didn't belong to me while I was wearing a suit.
We worked a total of seven hours inside, and no one questioned our presence. Bob was able to become a domain administrator on the network, and we both had our fill of coffee and donuts.
As a wrap-up for the day, we collected our equipment and departed from the door through which we had entered and then went to meet with our client to brief him on our time in the building. Even though our inability to use the U3 drives seemed a big win for the client, there was still some real concern over the significant amount of time we were able to successfully spend inside.
After we parted company with our client, my cell phone rang: It was the receptionist who had let us into the building. I guess we had made a good impression, because she kindly asked me if I needed the conference room the following day. Although it was tempting, I declined.
Day two required a visit by the "copier repairman" to a couple of the customers branch locations. The goal was to unplug the multifunction copier/printer, scan the network, get close to the users machines, and connect my U3 memory stick to siphon off data.
I entered the first location as the new copier serviceman, there to provide a complimentary preventive maintenance service call on the copier/printer. The person who greeted me asked that I wait until she asked the branch manager. The branch manager immediately came out and confronted me. He said no service people were allowed in the building unless he had been contacted by headquarters. I left defeated, with nothing but my U3 drive, laptop, and bogus copier repair gear.
Later that day, we went to branch No. 2, using the same story as earlier that day. I was worried I would get rejected again, but the person I spoke with immediately confided in me about her personal hatred of the machine. My visit was apparently welcome, so I got permission to start work. I dismantled the copier/printer, plugged my laptop into the network, and started looking at anything interesting. I sniffed a segment of the network to see if I could grab a login and password or two this move usually affects network speed and within minutes, I heard the predictable sounds of complaints from users in my area. So I stopped sniffing and decided it was time to get going, and reassembled the copier/printer and packed up my gear.
As I began putting away my laptop, I remembered my U3 memory stick. I still needed a way to get closer to the users, so I asked a nearby user if I could validate her ability to print to the machine I had just worked on. She agreed, and I told her that I had a special diagnostic program on the memory stick, which she would need to plug into her machine to be sure the printer worked properly. Unbeknownst to her, the U3 had absolutely nothing to do with her printing from her machine, which of course worked perfectly. Users within an earshot asked if they, too, could validate as well and within minutes, I had each user inserting my exploiting memory stick into their computers. With plenty of data (and a redeemed social engineering caper), I loaded up my gear and fled the building.
As I drove away from the branch, I thought about what we had accomplished but also about the real dangers of the powerful U3 technology that I had just demonstrated. It exacerbates the existing risk of any devices that plug into your network: It's not just threats coming into the network via these drives, but now it's also the danger of U3 to surreptitiously steal data with little human intervention. U3 has its benefits, but there can be a cost, too.
Hopefully, the "copier/printer repairman" isn't the only one who realizes that.