From an information security perspective, it is easy to get into the habit of framing threats in terms of someone “breaking into” things. Which from just the terminology alone, inspires mental images of balaclava wearing attackers, explosions and melodramatic electrical short circuits etc. However, in reality it often turns out that no drama and no active breaking-in is required at all. In fact, in many situations all you require is a spot of sedentary, passive listening to get access to whatever you wish to.
So, say for example you want to get into a building. These days, most access control systems are based on single-factor RFID, where you wave your card at a reader at the point of entry. All that is required is to loiter at a high-footfall point near the building during peak hours, carrying a long range RFID scanner in your rucksack. Hey presto, a handful of cloned door entry cards [1]. For the occasions where the card also requires a PIN to be entered, or where there is only a PIN, then that’s not a problem either. Simply wait for someone else to use it, then use your trusty infrared camera to see the buttons their finger has touched [2]. Worried that you’ll leave your face all over their CCTV? You shouldn’t have to be if the building is protected with IR sensitive cameras. To defeat them, all you need is an IR cap, which looks normal to the naked eye, but includes powerful IR lamps in the peak to blind the cameras [3]. Instant incognito, wherever you go.
Great, so once you’re in the building; then what? Now you just need an unattended network point to plug into. Simply find an empty meeting room, or if the office is the usual hot-desking affair, then look for an unused one and ask if it’s ok to grab it for a few hours. At this point, all you need to do is plug in the packet sniffer that you brought with you. These now come pre-packaged in a variety of different, anonymous looking formats, such as filtered power strips etc. [4]. No need to wait, just return later the same day to collect it.
Why would a packet sniffer be any use to you? It’s because modern network infrastructure is enormously complex, which in practice means prone to issues. Although by design, switches are supposed to keep traffic point-to-point between sender and receiver, when the switch gets a bit confused, it mostly falls back into spraying the traffic everywhere. Sometimes this is due to a misconfiguration, but it can also happen when lines flap, devices are reset, or internal switch tables get flushed or overloaded. Unfortunately, on a large network with thousands of connections, that will happen much more frequently than you might imagine. The result being that rather conveniently, all you need to do is to plug into the network, and then just wait for something interesting to come to you.
About ten years ago, when I was running a lot of on-site security assessments, I wrote a research tool called “passive aggressive” to automate the task. Typically, after leaving it plugged into a corporate network for an hour or so, I would have the credentials for managing the network hardware, along with a dozen active directory accounts too (including, if I was really lucky, someone in the IT team who was a privileged user).
The elegance of this approach is that it is almost entirely passive. No breaking in is required, which means there should be little (if any) audit trail produced that would trip up any monitoring tools. No incident to respond to!
How do you stop something like this happening? The truth of the matter is that getting your information security right isn’t something you achieve by buying a product, running a tool, or gaining a certification. It is a long, laborious journey that entails first understanding what you need to protect, and only then taking proportional, pragmatic action to gain the maximum value out of every penny you spend.
The journey of a thousand miles starts with first engaging your brain. ;)
References
- http://hackaday.com/2013/11/03/rfid-reader-snoops-cards-from-3-feet-away/
- http://petapixel.com/2014/08/29/heres-iphone-thermal-cameras-can-used-steal-pin-codes/
- http://odditymall.com/justice-caps-hide-your-face-from-surveillance-cameras
- http://lifehacker.com/5952327/turn-a-raspberry-pi-into-a-super-cheap-power-strip-packet-sniffer