Low-Tech Attacks Still Get the Job Done


A hospital employee who worked as a security guard was able to install botnets on hospital computers, according to a recent FBI release. Jesse William McGraw, also known as GhostExodus, worked for United Protection Services in Dallas, Texas. McGraw walked into Carrel Clinic, where he worked, and installed malicious software on confidential systems and systems that managed the building's HVAC system, all while videotaping himself performing the antics like he was in a Mission Impossible movie.


I think what is interesting here are a few points:


  1. It was an inside job. As we all know, the majority of attacks come from the inside of an organization.The level of trust that an organization must bestow on its employees in order to allow them to perform their duties opens innumerable doors to malicious activity. Strangely, surveys can still find lots of companies that report that they don't consider internal threats more serious than external threats.
  2. He did it by walking into the hospital and installing the software physically on each computer - very low-tech, but effective. Again, is attention being paid to the right thing? Many companies may be more concerned, especially right now, with employees taking data out the door, but this case shows that they need to be equally vigilant about employees, contractors, vendors or other visitors bringing something in.
  3. He didn't go for all high-profile systems. This would draw too much attention. Of course, what qualifies as high-profile will vary widely from organization to organization. This story from last year says that one internal thief at the U.S. Naval Research Laboratory carried out almost 19,000 separate pieces of equipment, complete with data, over the course of 10 years.
  4. He videotaped himself committing the crime. Okay, the last point just proves he is an idiot. Taken holistically, though, this shows that no matter how much hardware, software, monitoring, or people we throw at security, we are still vulnerable to a low-tech attack, and perhaps even more so than the high-tech version.