Penetration Testing mailing list archives

Re: Boot floppy

From: Packet Man <packetman () altsec info>
Date: Sun, 15 Apr 2007 09:49:47 -0500

> > On 4/10/07, Mifa wrote:
> >> We have a user who takes a company computer home with them (noits not a
> >> lap top). We have a good reason to need to look at their files.


How I would approach this:

1. Daily gather all sensor data on the user, such as firewall/IPS logs, webproxy logs, etc.

2. Through either a span port or passive network tap, I would capture everypacket this user sends and receives. Then, I would thoroughly analyze andprofile the traffic. This would accomplish two things; (A) the data wouldreveal whether or not the user "may" be operating outside their normal duties,and (B) the information retrieved would provide all the necessary clues forsocial engineering.

3. If enough suspicion has been generated so far, the company should haveenough information to simply confiscate the PC for forensic analysis. Chancesare the PC is infected with spyware anyway, and that would be an excellentexcuse for Desktop Support to swap it out on the user's desk. Even if it'snot infected, the user could be told that the IPS and Firewall logs indicatethat the PC is infected. Give the user a fresh PC to work on (complete withmonitoring software installed) and tell them that their existing data will beprovided for them as soon as it is thoroughly scanned by IT Security to ensurethat none of the files are infected.



Alternative Step 3:

3. If the company IT policy explicitly states that (A) all company ownedcomputers are under the complete whim of the company AND (B) the user can haveno expectation of privacy AND (C) I get a signed authorization frommanagement, I would then proceed to compromise the host through email orbrowser based exploits, the same way the majority of reckless users getcompromised. The exploit(s) would then gather the necessary data from the PCand forward it for analysis.

Caveat: Even if a PC is proved to be transmitting information to anunauthorized destination, that user could be completely innocent. Who knows,maybe the former user who left the company for the competition had a login ortrojan on that user's PC and is siphoning data. Maybe they've just beenhacked. Just because a computer is doing "bad" things, it doesn't mean thatthe "known" operator is responsible.

Remember... you're treading on the path of "best practices" and "rules ofevidence" here. All local, state, and federal laws must be followed to ensurethe integrity of the investigation and the evidence.

Lastly, good luck. In a perfect world management would care and everyonewould work together. Reality says that politics, rivalry, and budget willcombine to defeat even the most talented and honorable ITSec intentions.


Mark Stingley, IDHAFC
Senior Information Security Analyst

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Current thread:

Re: Boot floppy, (continued)
- Re: Boot floppy Sat Jagat Singh (Apr 11)
  - Re: Boot floppy Danyelle Gragsone (Apr 11)
- Re: Boot floppy Jamie Riden (Apr 11)
- Re: Boot floppy Juergen Fiedler (Apr 11)
- RE: Boot floppy Wiedemann, Adrian (Apr 11)
- RE: Boot floppy Mifa (Apr 13)
  - Re: Boot floppy Michael Munt (Apr 13)
  - RE: Boot floppy Sat Jagat Singh (Apr 13)
- Re: Boot floppy Shreyas Zare (Apr 13)
  - Re: Boot floppy Morning Wood (Apr 13)
  - Re: Boot floppy Packet Man (Apr 15)
- Re: Boot floppy barcajax (Apr 13)
- Re: Boot floppy Thor (Hammer of God) (Apr 13)
  - Re: Boot floppy Tremaine Lea (Apr 14)
    - Re: Boot floppy Morning Wood (Apr 15)
    - RE: Boot floppy Michele Jordan (Apr 28)