Ways of getting data off the premises?
Having made a recent post elsewhere I had to come up with examples to get data off the premises after reading a file from a server:
- paste file contents in say web-based email, docs.google or social networking, - send it to a remote server as HTTP requests, - transmit wirelessly to a close by AP, - make it a password-protected attachment (AV scanners don't like that), - append it to another file (image will display just fine), - write contents to a file on removable media and then delete it (what to look for?), - write contents past the last partition (where to look?), - make it an EXIF tag, - scribble inside a book cover, newspaper crossword puzzle or inside a boot, - convert it to a movie and upload it to whatevertube, - photograph contents using a (phone) cam, - read out loud and record voice or use a phone, - print it out. Apart from this, using pastebin, silences or code words, tricking the backup courier, flashing office lights, using morse code or braille I'm missing some other ways. If you want to share any please ensure they're not variations on a theme unless they include a notable twist, TIA. |
Quote:
Flash memory in cell phone (like AirShare on iPhone) Personal laptop stowed in a briefcase, via crossover cable. SD card, slipped into a digital camera to camoflauge it. |
Not subtle, but how about copying the file to a local internal disk and then removing the disk?
|
Notable twist: After having printed out the documents, you throw them into the garbage, recycle bin or "For Shredding" bin. You've already arranged for the recycle pick-up guy, garbage guy, house-keeper or shredder-truck guy to 'dispose of appropriately.
|
FTP (maybe too obvious)
P2P software Various abuse of network protocols like data sent on SYN packets, encoding data in packet header fields, or in the payload of ICMP packets. |
Fax the document to somewhere, like a mailbox service that offers send/receive faxes. Even better if you have a modem on the server attached to a PBX and it's a plain text document.
Cheers, Steve |
Quite some interesting additions here. In terms of deceptiveness and deviousness (in a thread like this meaning major bonus points) I especially liked the suggestions that cross technology boundaries or require social engineering in any form. It kind of showcases why logging isn't enough and why it's not uncommon for certain businesses to resort to using a mix of body and X-ray searches, requiring access cards or tokens or other forms of access logging, using (physical) network separation or containment rooms, regular auditing of hardware, software and wetware, denying portable equipment on parts of the premises, CCTV and deploying one or more bloodhounds SO's to hunt track down potential violations.
If you've got more ideas that are not variations on known themes please add them but please leave out the mystique and the supernatural ;-p |
The removal must avoid detection, which means that manipilating the data for portability must be done in a way that will not trigger alarms even when logged. Copying the data will be logged, leading to the question of "What did you do with the copy?" Printing it out is explanatory ("I was going to be in various places and wanted to read it when I could. I then shredded it.") and if caught with the document, just say that you're going to read it at home.
Making a CD copy of documents is second best. just say you made the CD because you wanted access when the network was down, or to preserve an archive snapshot. Trick is to make a copy of the CD onto a second CD using your personal laptop. That way you can keep the "archive" CD at work and there is no record of the second CD being made on the network -- it was made on your personal lappy. Smuggle it out. That's what I would do. But thank God this is all hypothetical anyway, right? |
Quote:
Just a thought ;) |
Quote:
Quote:
|
If anyone got more contributions that are not variations on known themes please add them but please leave out mystique, the supernatural, stating the obvious or Other Forms of Dispensing Wisdom: please play the game or please don't play.
|
a few ideas that haven't been mentioned yet
------------------------------------------- 1. flash the data into the firmware of an embedded device like an old Linksys wrt router or old cell phone that you don't use any more using a jtag cable, provided the information is small enough to fit (2-8 megs depending on model of wrt router) (note I say the FIRMWARE because some places might randomly check the flash storage area of mobile phones for data that shouldn't bee there and yes this will render the device a brick but if its something you don't care about then who cares, of course you could back up the current firmware first and then flash it back when you are done) 2. burn to an eeprom (similar to above process), (conceal the eeprom burner in a mouse or keyboard, or something innocuous so that it can be left behind if necessary) and carry only the chip out (disguised as something innocuous like an old video game cartridge perhaps) 3. use a steganography tool to hide the data in an image or silly audio clip and email the picture/clip to yourself or just carry it out on a thumb drive 4. use a digital camera (or film camera if you have one but of course having the film developed without being caught might pose a problem unless you have your own darkroom) and photograph the data on the screen 5. use an lcd monitor and scanner and scan the LCD screen displaying the data (similar to above) using your own laptop to run the scanner) |
A number of posts seem to have been deleted from this thread, without any indication from the forum moderators as to why this should be so.
Perhaps it is a system error. An explanation, here, would be appreciated. Edit: I am subscribed to this thread, because I have posted here. My post(s) are not visible, neither are the replies. /Edit |
To avoid distraction by unintentionally and intentionally misinformed posts, hijacking or "discussion" several posts were moved to this thread. Please note this is not up for discussion here, feel free to contact me or any moderator by email.
|
|
Not sure how this fits with the rules, but there are always screen dumps. In the not unheard of case of a salesperson with legitimate access to commercially sensitive customer information in a database, a page could be legitimately displayed and captured as an image. If this was dumped into word processing software with autosave turned on, then the backup file could be saved to removable media. Change the image to something innocuous in the final copy and save that as well.
|
Quote:
|
Quote:
How about a slightly simpler version. Grab a smartphone with Wifi, root it and turn it into a wifi hotspot. If your target computer has wireless capability (most corporations do have lots of laptops lying around) you now have your laptop connected not only to the corporate network, but also to the 3G network which is completely outside of the company's control. |
Engage in a stock take over attempt, which entitles you to learn many of the targets secrets in order to evaluate the true value of the company. Then after learning the secrets, simply walk away. ( mega social engineering )
|
Have a program that monitors a directory at some hour early in the morning, when you are not in the office. If there is a file in that directory then email it, then clean up the mail log file, and stop. So your file you are smuggling out is dropped into the directory at some point in the day, then late at night when you have an alibi, the file is emailed out.
|
Laser data transmission ... yes, it does exist, search for it. I saw it on TV too, and it does work.
Maybe a variation, but I would put the data on a USB stick and drop it out the window to waiting courier. Or if it is small enough attach to paper airplane and throw it out, just have someone out there to catch it. |
delete
|
Quote:
|
Quote:
no the most effective way would be something nobody would suspect to check for such as a transceiver attached to the serial or parallel port, especially since such ports aren't commonly used any more and certainly not in such a fashion, thus someone later on investigating a possible leak might overlook such ports until it's too late and the evidence is already gone. Quote:
granted it's impossible to cover all possibilities of data theft but this is a Linux security forum and as they say, to catch a thief you have to think like a thief, that's what this exercise is about ;) |
Questioning this threads validity is futile as are any distractions like meta-comments. If you still feel compelled to do so then please report instead of post. TIA.
|
Quote:
I kinda of suspect that where unSpawn was going with this was that the avenues of attack are much, much greater than the defenses put in place and that a lot of what are considered standard corporate security precautions really don't envisions a lot of the vectors that attackers have at their disposal. In fact I would argue (particularly after reading the suggestions in this thread) that trying to accomplish data security through physical/IT methods is largely a waste of time (or at very least subject to the 80/20 rule) and instead companies need to really focus on the personnel involved. Phishing has always been a highly successful attack vector. |
Quote:
|
print screen ( atl pr/scr) import clipboard in gimp
and run a fft on the image send it to any hosting ( imagebam , say) or zip it and use z-share at home dl it and run a inverse fft http://www.imagebam.com/image/644471103520920 the fft http://www.imagebam.com/image/2c8f34103520950 |
unSpawn,
Your post here, reminded me of this thread. Whilst I was a bit unsettled at the time when my earlier post was chucked ungraciously into moderator's limbo-land earlier in this thread, I'll now suggest you consider gently procuring, and paying well for, the services of a suitably gifted idiot savant That is a very cruel term, but it is what wikipedia references it as. Memorise a telephone directory or two, or three? No problem. Memorise a database? No problem. It will need to be displayed before it can be read and memorised though. |
Quote:
Case and thread closed. |
All times are GMT -5. The time now is 05:47 PM. |