donderdag 7 december 2017

Security is not a Christmas gift

The week before Christmas
It’s one of those days where everyone is online looking for a present. Busy times where companies are finalizing their end year activities, kids are nagging to get big presents and family is expecting an exceptional wonderful Christmas dinner.
Suddenly a stranger enters the office. A big smile on his face. "Hoo Hoo Hoo" he shouts. And the warm smile spreads around the office. Who would have thought of this small attention from HR. A warm welcome and guess what ! Everyone receives a USB stick in the shape of a Christmas tree. And a voucher.

That would be the solution. Let’s try this game. If I win then my Christmas problems are solved. As the company does not allow USB stick to be inserted due to security reasons and I shall go on internet and surf to the website presented.
And guess what. After answering some easy questions about the company… WE WON ! The only thing I now have to do is to send an email to Santa with my personal details like: Name, address, phone number and Identity card number in order to validate at delivery.
I feel completely relaxed. Santa was even so nice to respond back to my email with a Word document that I had to print out as prove to be given to the catering company.

Christmas evening...
The document that Santa returned by mail stated that the catering company would arrive at 14:00. However no sign yet. There is a phone number listed but it’s a payable number. Let’s give it a try and see if I can reach someone? The line is bad and there is a person on the line who does not speak English pretty well. However he assures me that everything will be fine.
Hours fly by, kids are getting nervous, family is arriving, but no food, no presents, no catering…. Christmas is becoming a disaster ! Our only solution to save the evening was to call a take-away and give money as a present to the kids. I will make my complains to HR !

But is this the only disaster?
In the meantime, the helpdesk was called by some people, claiming that their dial-in account was not working. They authenticated themselves by giving their name, address, phone number and even identity card numbers, telling which department they are working and who their colleagues were. All these calls were positively handled and people could start working again. Christmas day seemed to be a busy day on the mail servers and internet gateways. But it did not ring any bell.

What really happened ?
A well organised group of hackers, made a funny visit to the victims office. They dressed up as Santa and spread some USB sticks containing a Trojan horse (plan A). And they promoted their malicious website (plan B) on the voucher.
People had to answer some questions which would in the end detail the organisation and some inside knowledge of the company. The Word document (plan C) that was returned also contained some malicious payload. Everyone that had used 1 of those 3 methods was infected and on Christmas day a worm started spreading. Encrypting data and sending files to a collection server hosted somewhere on internet. Thanks to the info provided by the email, Identity theft could take place to validate the hacker to the helpdesk. That way a password reset was performed and the helpdesk was so kind to allow the hacker to enter the companies network.

So next time when Santa arrives in the office, better be vigilant.
Look him straight in the eyes and dare to question his goodness.