I got the idea for this article during a presentation by Paula Januszkiewicz during the last day of Cybercon (you can find details about the talk here). During the presentation, Paula was telling a story of how she had done a physical security test at one of her clients at some point and she discussed how she was able to gain access to the site.
The story kind of went like this, she walked into the lobby area behind others entering the building and she saw one of them click on level 6 on the electronic floor selection pad. That was the floor she needed to get too. She indicated that she was pretty stoked by the fact that it was a pretty handsome looking guy that was going to be her mark (she said it's much easier to do what she does like a pretty girl – she is probably right). When the door of the elevator opened she immediately entered the elevator that he was going to be entering and headed directly to the back of the elevator. During the presentation she explained why she walked to the back as having the ability to be out of sight and also to enable her to watch what he does with entering pins or biometrics or anything else but also so that he was not able to watch her too much as it would be a little weird and awkward if he did.
When he entered he looked over at her and she gave him a slight smile and brushed her hair out of her face a little shyly. He turned around and faced the door with her behind him. After a few moments he turned and she did a sort of flirty "Hi" to him and he responded in turn with a massive smile on his face. At that point, she told the audience that she knew she had him. They rode silently almost to the sixth floor and when the doors opened he stepped forward and held the door open for her and said something along the lines of "I hope I will see you around, maybe we could have some lunch?" and she said “Maybe” in a return flirty manner. She stepped out into the sixth floor and turned down the hallway as she knew exactly where she was going (obviously she didn't).
As she went into an open floor with your normal cubical style layout she saw two people get up from their desks without locking their machines. She made her way to one of them and plugged in a USB drive that had her malicious payload on it. A few people looked at her but no one said anything or attempted to stop her. In that story, she went on to make noises and make it obvious that she was not in the right spot as she wanted to get caught it was part of her tests that she wanted to know what would be needed to enact a response.
Paula’s story reminded me of a time in which I had tested out physical security for a company, I had walked in, sat down in one of their meeting rooms. I then plugged my laptop into one of their network ports and started to fish around their network. I then attempted to break into the wireless network and the whole time no one was even curious why I was there. I could have sat there doing whatever I wanted.
What would your staff do in this situation? Do you think they would say anything, do you think any would even bother to check if you are authorised to be there? I don’t think in most mid-large organisations that most people would even take any notice. They would just shrug it off as another new employee and wouldn’t think twice of it in most instances. In SMB’s it is more likely that an unauthorised person would be called out for being somewhere they are not authorised because everyone would know each other and would be aware in most cases that a new person is starting.
This needs to be something that is discussed more within security awareness training, we need everyone to notice these things and even if they are not comfortable with confrontation but be able to advise someone that there is a suspicious or unknown person accessing restricted locations. That would be enough. If we can do this it will greatly improve the security and it only requires awareness. Very cheap and effective protection to implement, don't you think?
So that covers people walking into unauthorised locations but what about if you are in a retail store or some type of public accessible area that has PC's of some kind in them. Could someone just walk up and plug in a modified USB charging cable? During another talk at the conference I watched a demonstration from Kevin Mitnick who used what they call a ninja cable to execute a malicious payload to a machine and then give him access to this via his other computer (check out a previous recording of his about this), it’s very simple and a threat vector that should be discussed with staff.
This is not a new attack vector, as previously malicious actors or Pentesters would plug in USB drives to get their code onto systems. One example how this could occur which he discussed in his talk was sending someone a free iPhone, a prize for something they made up and replace the original charge cable with the malicious one and when they go to plug the phone in to charge. You execute the code and bam you're in. Would your staff notice a USB charge cable or think that was even a threat, no they wouldn't.
So let’s change up the awareness training to ensure that it includes these threats and outline the best ways to counteract them with your staff. Anything we can do to minimise our risks the better we will all be and the more sleep we will be able to get at night.
As always tell me what you think, what other physical threats should be included as part of the awareness training? Have you seen something like what Paula or Kevin did in these talks? If we can work together and share the learnings we will have a much better chance of coming out on top after an incident.
Till next time...