From: Tremaine Lea (pen-test@ddiction.com)
Date: Sat Apr 14 2007 - 08:53:24 EDT
It seems to me from the OP's follow up post that the primary problem
is that they are looking at a highly political situation in a very
small company. Small in like 10 staff total kind of small.
Companies like that simply don't have HR departments and typically
have no policies in place that give an admin any rights.
I suspect the easiest way around the problem is to purchase a new
machine for this employee and just replace it. Walk up with the new
computer, drop it in and take away the old one telling them you'll
back up all their data and migrate their profile. Perfectly
reasonable and innocent sounding, and they really get no grounds to
complain and you set off a minimum of alarm bells.
Then you have the original machine to image the drive at your leisure.
Alternately, tell the user you're upgrading the RAM in all the
computers and blowing the dust out etc and you need them to leave it
overnight for a night.
--- Tremaine Lea Network Security Consultant Be in pursuit of equality, but not at the expense of excellence. On 13-Apr-07, at 8:40 AM, Thor (Hammer of God) wrote: > I don't think anyone's missing the statement -- people are just (in > my mind rightfully) suspicious of these types of scenarios where > there are a million other things that could be done that actually > solve the problem. It's the company's computer. They think this > guy is stealing from them like someone else already did. But, even > though the OP's the administrator of a computer his company owns, > he has no access to it and the admin account is disabled, and they > can't get the guy to run a rootkit any other way. So they want to > figure out how to root the box without any boot tools, auto-runs, > reboots, or anything else while the guy is taking a whiz so they > can see if he is stealing intellectual property all because they > are worried about hurting his feelings. It just doesn't sound right. > > Seize the box and perform forensics on it and be done with it. > Then have a set policy put in place to keep stupid things like that > from happening again. > > t > > ----- Original Message ----- From: "Shreyas Zare" > <shreyas@technitium.com> > To: "Pen-Testing" <pen-test@securityfocus.com> > Sent: Thursday, April 12, 2007 8:47 AM > Subject: Re: Boot floppy > > >> Hi, >> >> Everyone almost is missing Mifa's statement which is, "Any other >> ideas >> how we maight gain access? It has to be fast (bathroom breaks ect). I >> dont have time to load a live cd. Further, robooting would cause the >> user to loose work." >> >> This means he has to do it quickly without rebooting the machine and >> no live CDs as rebooting would make the target suspicious of the act. >> So social engineering will work better in this case. >> >> If he has enough powers, he can trojan the machine as its company's >> property. And the target may be a real danger for the company's >> security, who knows ? > > > ---------------------------------------------------------------------- > -- > This List Sponsored by: Cenzic > > Are you using SPI, Watchfire or WhiteHat? > Consider getting clear vision with Cenzic > See HOW Now with our 20/20 program! > > http://www.cenzic.com/c/2020 > ---------------------------------------------------------------------- > -- > > > ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:44 EDT