Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Advice for a spreadsheet macro that calls home?

from [Omar Herrera] Network Security [Permanent Link]
Subject: RE: Advice for a spreadsheet macro that calls home?
Date: Fri, 11 Feb 2005 20:24:04 -0600 
Hi Marc,

I would rather not use an active tool. At least not so fast (and this might
be also a matter of forensics):

a) It might help you avoid potential legal problems (are you sure this is
done with a machine property of the company you are working for and there
are written policies to backup your actions?)

b) If you are not sure which machine they are extracting the information
from, then you might potentially alert the suspect. He might have in place
one of those personal firewalls blocking unknown process from establishing
connections with other machines on the network (Excel is a good candidate to
remain blocked).

c) There are a lot of worms with source code out there and it seems tempting
to just grab one and change things here and there just to avoid being
identified by an antivirus, but you should also know exactly what other
amenities are included with the bug (keyloggers, time bombs, backdoor). Do
you have the time and resources to dig into the code and assure it will
perform as expected? Worst case scenario: you mess with the suspects
machine, the evidence is lost and then he/she points at you for attacking
his/her machine.

d) Do you have proof that the file is actually extracted from the machine
and executed in another? It might be possible that the information is
extracted through other means (keylogger, Trojan horses, social eng. with
other information holders,...)

My recommendations are:

First make sure that the machine is not compromised and that the information
leak does not take place through other means (check physical access, change
passwords,...).

Second, make clear what your ultimate goal is: to know who did it, to prove
that someone did it, or both. Sniffing and physical surveillance might be
just enough, unless you really require unquestionable proof of the act.

Third, whatever is your choice, make sure that the client understands and
accepts all potential risk and consequences before proceeding.

Regards,
Omar Herrera


-----Original Message-----
From: marc spamcatcher [mailto:junk@zounds.net]
A client wants to find out who is accessing some confidential data on his
machine.  Looks like an inside job, the IT staff reading an .xls.

Putting a 'call-home' macro in the file seems like a good bet, since
the file could be pulled in many ways, but must be opened for
reading.  I'm thinking that when the file is opened, a network connection
to a server is opened, and then we know when and where it was opened from.

Are there tools/worms that do this already I should look at?  Am I
over-looking some problems?
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Mapping Class A network ( any easy trick?), John Thomas
Next by Date:  Mapping a Class A, Alfred Huger
Previous by Thread:  Advice for a spreadsheet macro that calls home?, marc spamcatcher
Next by Thread:  RE: Advice for a spreadsheet macro that calls home?, Dario Ciccarone
Indexes:  [Date] [Thread] [Top] [All Lists]