IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Terry Cutler is a Certified Ethical Hacker and co-founder of Digital Locksmiths, Inc., an IT security and data defense firm based in Montreal. He serves as the company's Chief Technology Officer.
In this article ethical hacker Terry Cutler explains how he made creative use of a company’s toilet to gain access to their network
I am a Certified Ethical Hacker, which basically means I get paid by companies to hack into their networks.
My company, Digital Locksmiths, was hired by a manufacturing firm in 2011 to try and expose any security vulnerabilities that might be lurking in the ether.
A company’s external infrastructure — including web servers, domain name servers, email servers, VPN access points, perimeter firewalls, and any other applications publicly accessible from the Internet — is typically considered the primary target of security attacks. So that’s where we start.
Our methods include cracking passwords and eavesdropping as well as using keystroke loggers, sniffers, denial-of-service, and remote controls. In this case, I tried attacking the firewall systems with every trick in our digital lock picker’s toolkit, but to no avail: The network was locked tight, so to speak.
So I told myself, “Screw it. I’m going in.”
You see, companies with an impenetrable wall against external attacks are often surprisingly open to insider threats.
Hackers are able to expose these vulnerabilities by exploiting one simple fact: Most people will respond in a highly predictable way to a particular situation.
First, I did a little recon on Google Earth and Street View to familiarize myself with the physical perimeter of the company’s building and grounds. Since the character I was playing that day was “me,” the walking stereotype of a friendly, guy-next-door, I put on my usual garb: a pair of good jeans and a button-down shirt.
I hopped into my truck and drove over to the facility. Doing my best to look sharpish, I walked into the front lobby and said to the receptionist: “This is really embarrassing, and I don’t usually ask for this type of favor, but I wonder if I could use your washroom? I knew I’d regret ordering that super-sized drink!”
She smiled — a good sign — and buzzed me in. Once I was inside the men’s room and had confirmed it was unoccupied, I yanked two USB keys out of my pocket and dropped one on top of the metal toilet paper holder in each stall.
I quickly gave myself a thumbs-up in the mirror, strolled back to the lobby and flashed the receptionist a big smile as I walked out the door.
I drove back to my office and waited, because as soon as someone plugged one of my USBs into a computer, a program on the flash drive would auto run and execute a remote connection to my computer.
This would give me instant access and the ability to ‘pass the hash.’ Note that I’m not talking about the good ol’ college days here — we’re essentially taking the encrypted credentials for the computer’s owner and passing them to the company’s own server, mimicking a real, normal login.
In a short time, my computer sprang to life: With the ability now to log into the company’s network, I was poised to unleash all kinds of mayhem — from extracting user names and passwords to opening and interacting with files on the compromised system, to taking screenshots of current activity on a user’s desktop.
Needless to say, company management was horrified to learn how easily I had hacked into their system, simply by exploiting how people react in certain situations.
My ‘Big Gulp’ ruse was a success because, by and large, people are inclined to be helpful. And it’s true — curiosity does kill the cat. Nine times out of ten a person who finds a random USB stick will wonder what’s on the thing and plug it in to find out.
(In fact, my backup plan should my men’s-room story have failed was to tell the receptionist that someone dropped this USB stick on the floor and hand it to her.)
Defending against modern attackers
This episode underscores the fact that security involves more than just protection of your network’s firewall. Internal threats are real — and they aren’t all necessarily the work of a disgruntled employee.
Employees need to understand that security threats can be triggered in numerous ways and trained on how to protect against possible security threats that may be masquerading as something perfectly innocuous — like the guy next door. A simple policy like mandating only one type of USB device for internal use might have prevented me from gaining accessing to the network in this case.
Companies also need to recognize when they have a problem — and the sooner they know, the better their chances of minimizing the harm done. The good news is that most enterprises have an enormous amount of data scattered throughout firewall, application, router, and log sources that is useful for determining what sorts of things are going on within their networks. The bad news is that all too few know how to aggregate and put that data to use.
Security professionals need to put in place the technologies and processes that enable them access to security logs along with some type of log management to extract the information required to keep the infrastructure secure.
Better yet, they can employ a Security Information Event Manager (SIEM) for grabbing and correlating data, as well as a process to integrate security data with identity and access information. That way, in our hacking incident, a number of alerts would have been fired off to security managers long before any proprietary data was accessed.
While it’s true that security threats have become more menacing, remember that security defenses also have become more powerful. Make sure you take the necessary steps to protect your infrastructure and your data.
This article was originally published in 2013, and was – understandably – one of the most popular articles that year!
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
The USB Keys in the Urinal: A Cyber Security StoryAn 'ethical hacker' recounts how he breached security at a manufacturing firm by exploiting a core human weakness: curiosity.
Terry Cutler
IFSEC Insider | Security and Fire News and Resources
Related Topics
Cyber Security Crashcourse [Download]
Genetec announced as sponsor for Borders & Infrastructure Expo
Video: Blokade, the Toblerone-Shaped Anti-Vehicle Device for Perimeter Security
[…] USB sticks around your office like I did to another company back in 2011 which is detailed in my “USB keys in the Urinal” […]