Low-Tech Attacks Still Get the Job Done

Ralph DeFrangesco

A hospital employee who worked as a security guard was able to install botnets on hospital computers, according to a recent FBI release. Jesse William McGraw, also known as GhostExodus, worked for United Protection Services in Dallas, Texas. McGraw walked into Carrel Clinic, where he worked, and installed malicious software on confidential systems and systems that managed the building's HVAC system, all while videotaping himself performing the antics like he was in a Mission Impossible movie.


I think what is interesting here are a few points:


  1. It was an inside job. As we all know, the majority of attacks come from the inside of an organization.The level of trust that an organization must bestow on its employees in order to allow them to perform their duties opens innumerable doors to malicious activity. Strangely, surveys can still find lots of companies that report that they don't consider internal threats more serious than external threats.
  2. He did it by walking into the hospital and installing the software physically on each computer - very low-tech, but effective. Again, is attention being paid to the right thing? Many companies may be more concerned, especially right now, with employees taking data out the door, but this case shows that they need to be equally vigilant about employees, contractors, vendors or other visitors bringing something in.
  3. He didn't go for all high-profile systems. This would draw too much attention. Of course, what qualifies as high-profile will vary widely from organization to organization. This story from last year says that one internal thief at the U.S. Naval Research Laboratory carried out almost 19,000 separate pieces of equipment, complete with data, over the course of 10 years.
  4. He videotaped himself committing the crime. Okay, the last point just proves he is an idiot. Taken holistically, though, this shows that no matter how much hardware, software, monitoring, or people we throw at security, we are still vulnerable to a low-tech attack, and perhaps even more so than the high-tech version.

Add Comment      Leave a comment on this blog post
Jul 20, 2009 12:38 PM Richard Wang, SophosLabs Richard Wang, SophosLabs  says:

The first question that occurs to me when reading about this attack is 'How was a security guard able to install software at all?'. His own login credentials should not have been sufficient to install software. In fact defining the correct access rights for users is the first of Sophos's security tips for network administrators. Although having physical access to a computer opens more avenues for attack they too can be secured. Device control software can disable USB or CD/DVD drives. Full disk encryption can block access to the hard disk if anyone tries to reboot the comupter using a live CD, thereby preventing them from installing any other software.

Attacks from insiders are a serious threat to any organization but a few simple measures can make it much harder for a malicious insider to execute an attack. Walking up to a computer and installing some software simply should not be an available option.

Oct 14, 2009 6:25 AM XP Drivers XP Drivers  says:

I'm surprised he was able to do this. I mean, didn't anyone at all think it was strange for a security guard to be going from computer to computer instead of watching his post?


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.