Ways of getting data off the premises?
 

Having made a recent post elsewhere I had to come up with examples to get data off the premises after reading a file from a server:
- paste file contents in say web-based email, docs.google or social networking,
- send it to a remote server as HTTP requests,
- transmit wirelessly to a close by AP,
- make it a password-protected attachment (AV scanners don't like that),
- append it to another file (image will display just fine),
- write contents to a file on removable media and then delete it (what to look for?),
- write contents past the last partition (where to look?),
- make it an EXIF tag,
- scribble inside a book cover, newspaper crossword puzzle or inside a boot,
- convert it to a movie and upload it to whatevertube,
- photograph contents using a (phone) cam,
- read out loud and record voice or use a phone,
- print it out.

Apart from this, using pastebin, silences or code words, tricking the backup courier, flashing office lights, using morse code or braille I'm missing some other ways. If you want to share any please ensure they're not variations on a theme unless they include a notable twist, TIA.

That's a farily comprehensive list. I'd add to it:

Flash memory in cell phone (like AirShare on iPhone)
Personal laptop stowed in a briefcase, via crossover cable.
SD card, slipped into a digital camera to camoflauge it.

Not subtle, but how about copying the file to a local internal disk and then removing the disk?

Notable twist: After having printed out the documents, you throw them into the garbage, recycle bin or "For Shredding" bin. You've already arranged for the recycle pick-up guy, garbage guy, house-keeper or shredder-truck guy to 'dispose of appropriately.

FTP (maybe too obvious)
P2P software
Various abuse of network protocols like data sent on SYN packets, encoding data in packet header fields, or in the payload of ICMP packets.

Fax the document to somewhere, like a mailbox service that offers send/receive faxes. Even better if you have a modem on the server attached to a PBX and it's a plain text document.

Cheers,
Steve

Quite some interesting additions here. In terms of deceptiveness and deviousness (in a thread like this meaning major bonus points) I especially liked the suggestions that cross technology boundaries or require social engineering in any form. It kind of showcases why logging isn't enough and why it's not uncommon for certain businesses to resort to using a mix of body and X-ray searches, requiring access cards or tokens or other forms of access logging, using (physical) network separation or containment rooms, regular auditing of hardware, software and wetware, denying portable equipment on parts of the premises, CCTV and deploying one or more bloodhounds SO's to hunt track down potential violations.

If you've got more ideas that are not variations on known themes please add them but please leave out the mystique and the supernatural ;-p

The removal must avoid detection, which means that manipilating the data for portability must be done in a way that will not trigger alarms even when logged. Copying the data will be logged, leading to the question of "What did you do with the copy?" Printing it out is explanatory ("I was going to be in various places and wanted to read it when I could. I then shredded it.") and if caught with the document, just say that you're going to read it at home.

Making a CD copy of documents is second best. just say you made the CD because you wanted access when the network was down, or to preserve an archive snapshot. Trick is to make a copy of the CD onto a second CD using your personal laptop. That way you can keep the "archive" CD at work and there is no record of the second CD being made on the network -- it was made on your personal lappy. Smuggle it out.

That's what I would do. But thank God this is all hypothetical anyway, right?

There's always carrier pigeon, or ship-to-shore semaphores. The latter can be done using window shades and a bright lamp from the executive suite.

Just a thought ;)

With all due respect but IMHO that's an assumption. The act of copying consists of server-side reading a file (read syscall) and client-side pasting buffer contents. Thinking court-submittable evidence proving the act of copying would not only require server-side but also client-side logging and in a way that is all-encompassing (probably intrusive) to facilitate correlation or replay. Even then copying may not be proven (employee /away from unattended and unlocked workstation) unless in-memory, in-transit or on-media evidence of the copying process or copy can be found, or if evidence can be used from other sources (entry systems, surveillance cameras, statements).


No, unfortunately it wasn't.

If anyone got more contributions that are not variations on known themes please add them but please leave out mystique, the supernatural, stating the obvious or Other Forms of Dispensing Wisdom: please play the game or please don't play.

a few ideas that haven't been mentioned yet
-------------------------------------------
1. flash the data into the firmware of an embedded device like an old Linksys wrt router or old cell phone that you don't use any more using a jtag cable, provided the information is small enough to fit (2-8 megs depending on model of wrt router) (note I say the FIRMWARE because some places might randomly check the flash storage area of mobile phones for data that shouldn't bee there and yes this will render the device a brick but if its something you don't care about then who cares, of course you could back up the current firmware first and then flash it back when you are done)

2. burn to an eeprom (similar to above process), (conceal the eeprom burner in a mouse or keyboard, or something innocuous so that it can be left behind if necessary) and carry only the chip out (disguised as something innocuous like an old video game cartridge perhaps)

3. use a steganography tool to hide the data in an image or silly audio clip and email the picture/clip to yourself or just carry it out on a thumb drive

4. use a digital camera (or film camera if you have one but of course having the film developed without being caught might pose a problem unless you have your own darkroom) and photograph the data on the screen

5. use an lcd monitor and scanner and scan the LCD screen displaying the data (similar to above) using your own laptop to run the scanner)

A number of posts seem to have been deleted from this thread, without any indication from the forum moderators as to why this should be so.

Perhaps it is a system error.

An explanation, here, would be appreciated.

Edit: I am subscribed to this thread, because I have posted here. My post(s) are not visible, neither are the replies.
/Edit

To avoid distraction by unintentionally and intentionally misinformed posts, hijacking or "discussion" several posts were moved to this thread. Please note this is not up for discussion here, feel free to contact me or any moderator by email.

Put a modem near a window? :)

http://it.slashdot.org/article.pl?si...thread&tid=172

Not sure how this fits with the rules, but there are always screen dumps. In the not unheard of case of a salesperson with legitimate access to commercially sensitive customer information in a database, a page could be legitimately displayed and captured as an image. If this was dumped into word processing software with autosave turned on, then the backup file could be saved to removable media. Change the image to something innocuous in the final copy and save that as well.

hmm if you are going do that you might as well just build a pair of transceivers out of an infra red laser and detector and put one in the window of your office hidden in some innocuous object and the other one on the dash of your car (disguised as a fuzz buster perhaps where such are legal), of course this can be hampered by people walking past the signal but oh well.

How about a slightly simpler version. Grab a smartphone with Wifi, root it and turn it into a wifi hotspot. If your target computer has wireless capability (most corporations do have lots of laptops lying around) you now have your laptop connected not only to the corporate network, but also to the 3G network which is completely outside of the company's control.

Engage in a stock take over attempt, which entitles you to learn many of the targets secrets in order to evaluate the true value of the company. Then after learning the secrets, simply walk away. ( mega social engineering )

Have a program that monitors a directory at some hour early in the morning, when you are not in the office. If there is a file in that directory then email it, then clean up the mail log file, and stop. So your file you are smuggling out is dropped into the directory at some point in the day, then late at night when you have an alibi, the file is emailed out.

Laser data transmission ... yes, it does exist, search for it. I saw it on TV too, and it does work.

Maybe a variation, but I would put the data on a USB stick and drop it out the window to waiting courier. Or if it is small enough attach to paper airplane and throw it out, just have someone out there to catch it.

delete

Well, I guess it might, unless we assume it is done to somehow prevent this ... to cover all bases, which of course is impossible.

assuming the machine HAS a wifi adapter which is unlikely in such a case as a machine that might deal with sensitive information that a company or government organization wouldn't want leaked

no the most effective way would be something nobody would suspect to check for such as a transceiver attached to the serial or parallel port, especially since such ports aren't commonly used any more and certainly not in such a fashion, thus someone later on investigating a possible leak might overlook such ports until it's too late and the evidence is already gone.

H_TeXMeX_H has a valid point
granted it's impossible to cover all possibilities of data theft but this is a Linux security forum and as they say, to catch a thief you have to think like a thief, that's what this exercise is about ;)

Questioning this threads validity is futile as are any distractions like meta-comments. If you still feel compelled to do so then please report instead of post. TIA.

Fair point. However my experience in businesses and organizations is that laptops are a highly desired computing platform, so wifi adapters are really pretty common and the only real obstacle to sensitive information is proper credentials. A lot of sensitive information physically resides on servers that likely don't have wifi cards, but are very accessible from within the company network. I have yet to run into a situation where accessing sensitive information requires you to sit at a specific workstation. You might also be able to tether to a phone via a USB cable, though that is probably easier to prevent by disabling USB ports.

I kinda of suspect that where unSpawn was going with this was that the avenues of attack are much, much greater than the defenses put in place and that a lot of what are considered standard corporate security precautions really don't envisions a lot of the vectors that attackers have at their disposal. In fact I would argue (particularly after reading the suggestions in this thread) that trying to accomplish data security through physical/IT methods is largely a waste of time (or at very least subject to the 80/20 rule) and instead companies need to really focus on the personnel involved. Phishing has always been a highly successful attack vector.

indeed, if data can be accessed it can be copied, plain and simple, which is the same argument against all of the DRM schemes used by dvd/blu ray/cd manufacturers, they are a waste of time, the best bet for protection against data theft is to simply make sure the employees who have access to the sensitive material (and even those who don't) are trustworthy, not I say even those who don't because given the time and resources it would be a trivial matter for someone who knows what they are doing to gain access to sensitive material they shouldn't' have access to. not to say that the sensitive data should be left unsecured as that would be an invitation to outsiders to steal it but when it comes to insiders, there is almost nothing that can be done to stop the data from being stolen.

print screen ( atl pr/scr) import clipboard in gimp
and run a fft on the image
send it to any hosting ( imagebam , say)
or zip it and use z-share
at home dl it and run a inverse fft
http://www.imagebam.com/image/644471103520920
the fft
http://www.imagebam.com/image/2c8f34103520950

unSpawn,

Your post here, reminded me of this thread. Whilst I was a bit unsettled at the time when my earlier post was chucked ungraciously into moderator's limbo-land earlier in this thread, I'll now suggest you consider gently procuring, and paying well for, the services of a suitably gifted idiot savant

That is a very cruel term, but it is what wikipedia references it as.

Memorise a telephone directory or two, or three? No problem.
Memorise a database? No problem.

It will need to be displayed before it can be read and memorised though.

After giving this careful thought I maintain my position. I asked every contributor to please play the game or please don't play and you did not. In closing please do not necro-post again with a reply that has no bearing on the threads original question. If you have any follow up comments please email me or any of my fellow forum moderators.
Case and thread closed.