It seems to me from the OP's follow up post that the primary problem
is that they are looking at a highly political situation in a very
small company. Small in like 10 staff total kind of small.
Companies like that simply don't have HR departments and typically
have no policies in place that give an admin any rights.
I suspect the easiest way around the problem is to purchase a new
machine for this employee and just replace it. Walk up with the new
computer, drop it in and take away the old one telling them you'll
back up all their data and migrate their profile. Perfectly
reasonable and innocent sounding, and they really get no grounds to
complain and you set off a minimum of alarm bells.
Then you have the original machine to image the drive at your leisure.
Alternately, tell the user you're upgrading the RAM in all the
computers and blowing the dust out etc and you need them to leave it
overnight for a night.
---
Tremaine Lea
Network Security Consultant
Be in pursuit of equality, but not at the expense of excellence.
On 13-Apr-07, at 8:40 AM, Thor (Hammer of God) wrote:
I don't think anyone's missing the statement -- people are just (in
my mind rightfully) suspicious of these types of scenarios where
there are a million other things that could be done that actually
solve the problem. It's the company's computer. They think this
guy is stealing from them like someone else already did. But, even
though the OP's the administrator of a computer his company owns,
he has no access to it and the admin account is disabled, and they
can't get the guy to run a rootkit any other way. So they want to
figure out how to root the box without any boot tools, auto-runs,
reboots, or anything else while the guy is taking a whiz so they
can see if he is stealing intellectual property all because they
are worried about hurting his feelings. It just doesn't sound right.
Seize the box and perform forensics on it and be done with it.
Then have a set policy put in place to keep stupid things like that
from happening again.
t
----- Original Message ----- From: "Shreyas Zare"
<shreyas@technitium.com>
To: "Pen-Testing" <pen-test@securityfocus.com>
Sent: Thursday, April 12, 2007 8:47 AM
Subject: Re: Boot floppy
Hi,
Everyone almost is missing Mifa's statement which is, "Any other
ideas
how we maight gain access? It has to be fast (bathroom breaks ect). I
dont have time to load a live cd. Further, robooting would cause the
user to loose work."
This means he has to do it quickly without rebooting the machine and
no live CDs as rebooting would make the target suspicious of the act.
So social engineering will work better in this case.
If he has enough powers, he can trojan the machine as its company's
property. And the target may be a real danger for the company's
security, who knows ?
----------------------------------------------------------------------
--
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
----------------------------------------------------------------------
--
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
