Jump to content
Hak5 Forums
GeeBee

advice needed Undetectable Hack on My Pc

Recommended Posts

my windows works laptop has been hacked with files and programs being added and removed and some skype conversations found that i didn't have about theft of company files

the laptop is used only be me at home and work, i know its been hacked because i know i didnt do it, but i face the sack if i cant convince my bosses that it is possible to do this even though they have paid 2 company's to search the laptop for proof that it has been hacked
any advise on how this is possible ?
is it just a hard to detect back door ? if so what is the hardest to detect ?
thanks for any advise on how this is possible

Share this post


Link to post
Share on other sites

Line by line through the registry?

Replace hardware with fresh/new duplicate hardware and look for changes in registry/management policies?

Inspecting full packet TCPdump before,during and after the first two?

Self inflict high dollar ransom ware and let the higher ups deal with it?

Somehow, some way (but still understandibly) the laptop finds itself in saltwater or an emp..?

Trust that good things always come after bad things, it's the timeframe that we hate.

good luck.

Share this post


Link to post
Share on other sites

Honestly, if you say it's been hacked somehow, give it to your IT department and let them do their job of discerning what has happened. If you don't have the knowledge to do so, you're not likely to find a full guide on how to here.

 

I know that may come across as dismissive, but it's up to your IT department to check your claim, not you to prove it.

Share this post


Link to post
Share on other sites

thanks for your comments guys

my as far as my company are concerned they have finished inspecting it, getting 2 opinions on it and neither of them have found a backdoor

i guess what im really looking for before my hearing is an article explaining / describing the fact that its not always possible to find a backdoor unless your the hacker thats put it there ?

thanks in advance

Share this post


Link to post
Share on other sites
9 hours ago, GeeBee said:

thanks for your comments guys

my as far as my company are concerned they have finished inspecting it, getting 2 opinions on it and neither of them have found a backdoor

i guess what im really looking for before my hearing is an article explaining / describing the fact that its not always possible to find a backdoor unless your the hacker thats put it there ?

thanks in advance

You're probably not going to be able to prove anything, as if this was a sophisticated attack, it could have run from memory and be gone on reboot. No way to prove that really other than catching them in the act. What they did to get in would also be hard to prove other than having osmeone pentest the box itself, ie: actively hack you. If you have certain services enabled, this could let anyone in, and if you have weak credentials for anything, even easier. SMB would probably be where they got in, but that is just a guess since it's a business machine, it more than likely has file sharing services in use and unpatched files. The recent wannacry attack for example is one that could go undetected  other than the fact it is ransom-ware, but the attacks used relied on more recent 0-days that many had not patched against, all of which could have been done without your knowledge.

At the end of the day, you're pretty much shit out of luck other than catching them in the act, or them slipping up and leaving something forensically on the system, for which you said 2 groups have already checked against. Even the way it sounds from what you describe, it seems unreasonable you aren't the culprit, but we have no way to prove for or against you. If this was truly hacked, and used your skype to talk up business stuff, then possibly targeted by someone in the company like a co-worker. You should logon to the skype website(not your client) and see if they show any info for IP addresses logged into the account, although I'm not sure if they log them or have a setting for that. It's possible they guessed your password(s) and used the accounts that way as well, since skype is not limited to only the desktop or mobile clients, you don't need a client to use skype, only access to the skype site and the login details.

Share this post


Link to post
Share on other sites
On 16-5-2017 at 10:51 AM, GeeBee said:

my windows works laptop has been hacked with files and programs being added and removed and some skype conversations found that i didn't have about theft of company files

the laptop is used only be me at home and work, i know its been hacked because i know i didnt do it, but i face the sack if i cant convince my bosses that it is possible to do this even though they have paid 2 company's to search the laptop for proof that it has been hacked
any advise on how this is possible ?
is it just a hard to detect back door ? if so what is the hardest to detect ?
thanks for any advise on how this is possible

If done correctly i guess a hack can't be traced technically.

So try to disprove the evidence.

1) Maybe you can prove you weren't near your laptop at the time of one of these skype incidents.

2) If there are skype recordings maybe they can work in your favor.

3) If your password was weak at the time (several old password may still be in the system), you can claim someone else hacked your account.

4) Maybe you have obvious enemies and if they had motive/means/opportunity, you can claim they did this ..

5) Etc ..

Also it may be a good thing to lawyer up depending on how serious the situation is.

Share this post


Link to post
Share on other sites
On 2017-5-16 at 4:51 PM, GeeBee said:

my windows works laptop has been hacked with files and programs being added and removed and some skype conversations found that i didn't have about theft of company files

the laptop is used only be me at home and work, i know its been hacked because i know i didnt do it, but i face the sack if i cant convince my bosses that it is possible to do this even though they have paid 2 company's to search the laptop for proof that it has been hacked
any advise on how this is possible ?
is it just a hard to detect back door ? if so what is the hardest to detect ?
thanks for any advise on how this is possible

Some qns:

1) Do you have administrative rights on the laptop ? Usually IT dept will not allow employees to installed/remove programs. If you are not granted admin rights in the first place than this will be advantageous in your case since you should not be able to add or remove programs. 

2) Could you share the value of the data loss? Sophisticated hack jobs are expensive. 

3) Could it be a sabotage? Did you leave your laptop unattended in the office? From this perspective then it makes sense that 2 companies are not able to find signs of intrusion & backdoor.

Share this post


Link to post
Share on other sites
3 hours ago, esa said:

Some qns:

1) Do you have administrative rights on the laptop ? Usually IT dept will not allow employees to installed/remove programs. If you are not granted admin rights in the first place than this will be advantageous in your case since you should not be able to add or remove programs. 

2) Could you share the value of the data loss? Sophisticated hack jobs are expensive. 

3) Could it be a sabotage? Did you leave your laptop unattended in the office? From this perspective then it makes sense that 2 companies are not able to find signs of intrusion & backdoor.

Hi guys

thanks for your comments, really appreciated

its just an off the shelf pc laptop i purchases myself with the company credit card so i have full access and don't leave it untended, so you can see why the don't believe im responsible

its not an expensive data loss, why do you think a hack is expensive?  do you mean if someone buys a hack software off the dark web ?

thanks graham

Share this post


Link to post
Share on other sites
5 hours ago, RickD said:

If done correctly i guess a hack can't be traced technically.

So try to disprove the evidence.

1) Maybe you can prove you weren't near your laptop at the time of one of these skype incidents.

2) If there are skype recordings maybe they can work in your favor.

3) If your password was weak at the time (several old password may still be in the system), you can claim someone else hacked your account.

4) Maybe you have obvious enemies and if they had motive/means/opportunity, you can claim they did this ..

5) Etc ..

Also it may be a good thing to lawyer up depending on how serious the situation is.

Hi

thank you for your comments

can i just confirm, its not my skype account, but a record of it is on my laptop and a long conversation over many months was recovered using software SkypeAlyzer

and the files downloaded onto my pc over many monthas

Share this post


Link to post
Share on other sites
7 hours ago, GeeBee said:

Hi guys

thanks for your comments, really appreciated

its just an off the shelf pc laptop i purchases myself with the company credit card so i have full access and don't leave it untended, so you can see why the don't believe im responsible

its not an expensive data loss, why do you think a hack is expensive?  do you mean if someone buys a hack software off the dark web ?

thanks graham

Usually it is expensive. 
https://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hacker-techniques/

Do you have Anti Virus software installed?  It helps to eliminate free/cheap tools found in public space. 

 

So from the hacker's perspective, why would he/she spend the effort & risk getting caught to target you for data that are not worth much?
Furthermore why spend the effort to plant fake Skype messages on your PC?
The hacker manage to access your PC, steal data without leaving any trace, but "carelessly" left a planted Skype messages is highly suspicious. 

Somebody wants you to take the fall. 

 

Can you share the Skype ids/email involved in the conversation?

 

 

 

Share this post


Link to post
Share on other sites
15 hours ago, GeeBee said:

Hi

thank you for your comments

can i just confirm, its not my skype account, but a record of it is on my laptop and a long conversation over many months was recovered using software SkypeAlyzer

and the files downloaded onto my pc over many monthas

I guess the big question is: are you in any tense (company) situation where someone might wanna take you down/ hurt you, and plant false evidence on your computer?

If not, the whole thing does not make much sense to me. Why would a random outside hacker plant something like that just for fun? And if it's a data theft they would just have gone in and took it without a skype record.

Like i wrote before analyse the skype data (or have it analysed by an independent person not related to the company). If it is not yours there will be flaws in it somewhere that can prove it was not you and you are being framed.

BTW: The most logical explanation to me, is that someone figured out your password and used your laptop for this while you were at lunch or something (like i said the answer is in the (skype) data on the laptop ).

Share this post


Link to post
Share on other sites
22 hours ago, GeeBee said:

its just an off the shelf pc laptop i purchases myself with the company credit card

I only ask as I haven’t seen the question asked yet - was this a brand new (sealed box) laptop? or was this a used/refurbished machine?

Just putting it out there that second hand machines, if not cleaned or properly reset, could sometimes incorporate some of the previous owners history or at worst malicious software.

20 hours ago, GeeBee said:

its not my skype account, but a record of it is on my laptop and a long conversation over many months was recovered using software SkypeAlyzer

That could maybe explain the unknown history found on the machine. But date/time stamps should clear that up for example if the conversations took place before you owned the laptop you would have a valid argument.

Also (but maybe not as nice to hear) is that maybe you did do it and are looking for viable reasons to be able to defend your position and keep your job. Just saying its possible and not that is what has happened. For example most of my family users wouldn’t know what the darkweb is, let alone know they could buy anything from it.

22 hours ago, GeeBee said:

do you mean if someone buys a hack software off the dark web ?

Either way I hope your situation comes to a conclusion soon as the "not knowing" can take its toll on anyone being investigated especially added with potential of loosing their job. Dont forget to de-stress often :)

Edited by Just_a_User

Share this post


Link to post
Share on other sites

How long have you had the laptop? If it's a second-hand laptop it sounds like they left some malicious software on there, whether it's accidental or not it's hard to tell with those.

It's also not hard to put an old Skype conversation in your Skype install. All those conversations can be sourced from your PC's local files so a hacker could potentially copy a file from a USB/SMB share to your PC into the Skype directory. This is supported by the fact that you said those conversations talk about company file theft. So if this wasn't there before, someone is definitely trying to frame you, though it doesn't have to be a person deliberately trying to hurt you - it could just be a hacker trying to grab some files and get out without being suspected himself - easiest way to do that is to frame someone else (which I guess he is deliberately trying to hurt you, but not for personal reasons).

Also, you mentioned that there was no trace of the hack. This could mean a few things - one, which was suggested by the friendly-neighbourhood-neo-fighter, is the hack could have been run in memory and therefore there is no trace of it in your local files. You can always try looking in your event log/event viewer (just type 'Event Viewer' into Windows start menu) and probably go with the Applications and Services tab (top left) and scroll down to the day you think your hack started (don't bother looking at when the Skype conversations were started - the dates/times can be changed fairly easily). You're looking for something suspicious. It's possible it isn't even there (not ridiculously hard to remove event logs).
Another thing that it could mean (in terms of the untraceable hack) is it could have been passed to you over your network. So when you use it at home someone could have got into your network from the outside and done some damage. However I think this is unlikely as it was specifically targeting you as an employee of a company, so unless someone knew your network to be yours and knew you to be an employee of the company it is unlikely that was the way it was done. Although, your home network would be marginally more insecure than your company's network.

In terms of proving your innocence, I can't really offer much there. The hack is more than likely no longer on your PC, probably isn't any event logs on this hack and the Skype conversation is hard to disprove, unless you know that Skype conversations can be placed fairly easily.

If I wanted to place a Skype conversation I would create two Skype accounts and have them message each other about hacking a company (by the way, is there anything interesting in the conversation - like a method of the hacking or saying how they would do it etc.?) and then copy the conversation file to your PC, after changing the names of the 2 accounts. Not too hard.

That's what I got from your dilemma, anyway.

Share this post


Link to post
Share on other sites
8 hours ago, Dave-ee Jones said:

How long have you had the laptop? If it's a second-hand laptop it sounds like they left some malicious software on there, whether it's accidental or not it's hard to tell with those.

It's also not hard to put an old Skype conversation in your Skype install. All those conversations can be sourced from your PC's local files so a hacker could potentially copy a file from a USB/SMB share to your PC into the Skype directory. This is supported by the fact that you said those conversations talk about company file theft. So if this wasn't there before, someone is definitely trying to frame you, though it doesn't have to be a person deliberately trying to hurt you - it could just be a hacker trying to grab some files and get out without being suspected himself - easiest way to do that is to frame someone else (which I guess he is deliberately trying to hurt you, but not for personal reasons).

Also, you mentioned that there was no trace of the hack. This could mean a few things - one, which was suggested by the friendly-neighbourhood-neo-fighter, is the hack could have been run in memory and therefore there is no trace of it in your local files. You can always try looking in your event log/event viewer (just type 'Event Viewer' into Windows start menu) and probably go with the Applications and Services tab (top left) and scroll down to the day you think your hack started (don't bother looking at when the Skype conversations were started - the dates/times can be changed fairly easily). You're looking for something suspicious. It's possible it isn't even there (not ridiculously hard to remove event logs).
Another thing that it could mean (in terms of the untraceable hack) is it could have been passed to you over your network. So when you use it at home someone could have got into your network from the outside and done some damage. However I think this is unlikely as it was specifically targeting you as an employee of a company, so unless someone knew your network to be yours and knew you to be an employee of the company it is unlikely that was the way it was done. Although, your home network would be marginally more insecure than your company's network.

In terms of proving your innocence, I can't really offer much there. The hack is more than likely no longer on your PC, probably isn't any event logs on this hack and the Skype conversation is hard to disprove, unless you know that Skype conversations can be placed fairly easily.

If I wanted to place a Skype conversation I would create two Skype accounts and have them message each other about hacking a company (by the way, is there anything interesting in the conversation - like a method of the hacking or saying how they would do it etc.?) and then copy the conversation file to your PC, after changing the names of the 2 accounts. Not too hard.

That's what I got from your dilemma, anyway.

Hi thankyou so much for taking the time to give me your comments

yes its a brand new sealed box laptop i have owned for about 4 years

and the conversation stretches into 2 years

is it possible then for my end of the conversation to have taken place on another pc, then once the account is opend on my pc all the conversations then appear as though they have taken place on mine ?

can you explain more about a hack being run in memory, how do they get in my memory to run the hack

as there evidence that the files weren't all downloaded onto  my pc on one occasion but over quite a few months, so how do they keep getting into my memmory to run a hack there ?

many thanks in advance Graham

Share this post


Link to post
Share on other sites

Metasploit allows you(as well as other exploit shell code) to run all of your session in memory, and never have to touch disk. Depending on how it was exploited, or in the case of new windows holes recently disclosed, they could have used an 0-day like the ones released by the NSA and CIA leaks to gain access, but 2 years is a long time to go unnoticed and only come to light after some nefarious skype conversation(s).

For me, most of this sounds like BS though, as they'd need a way to cause persistence if this was an ongoing hack targeted at your machine. They'ed either need to be in close proximity, and on the same network as you all the time, or this was a one off thing, which makes no sense for there to be 2 years worth of skype conversations if that was the case. If they wanted to be exploiting you for this long, the goal would have probably been achieved much sooner than later, so why now? 

When, and even if an exploit happened, how was the skype info discovered, why, and by whom. I'd start back stepping into those channels first and work up to how it was discovered about these conversations to begin with, if they weren't actually you, now trying to cover your arse. If you were truly hacked, the discovery of info that paints you in a bad light, has to have motive and someone behind it. It's irrelevant at this point how they got in if there is no reason for them to do so. Proving your innocence I think will be more tied in trying to prove you being framed, if even possible. We obviously don't have all the details, but this seems more like shenanigans and a rabbit hole that seems more fiction than facts.

At the end of the day, none of us are lawyers, no able to help you in any way other than speculation. Stick to what you know, explain the facts as you know them, not as you wish them to be, and get a good lawyer if you are going to trial over this. A lawyer with background in digital media and computers would be someone to look for, and let them call in experts to examine the device, ie: EFF type lawyers or such that know what they are doing and have contacts of technical leads that can examine the laptop. Digital forensics people trained in this are better to handle this vs coming to public forums for help, which may also hurt your case in the long run if discovered. If I was in a legal issue over things like this, public forums would probably be the last place I would disclose it, and if seeking public assistance, all my facts and info would be obfuscated in conversation to keep things confidential and not out in the open.

Share this post


Link to post
Share on other sites

Ok have only skimmed over all the above but just want to throw in my 2 cents. Dos and donts really. Skype is hugely penitratable, if you have a used laptop you should completely reformat it, if you have a company laptop and have been sent malicious links via mail then it's a result of your company's exchange filter of what gets though so the fault is in then, have you been using this laptop for downloading music, movies, any torrents ect? If so you could have downloaded a RAT without noticing (remote administration tool), have you been opening up any word or excel documents that have macro attached? There is so many routes to gain access the list does go on. But if your company wanted to actually look into the mater legally they would need to send it off to a data forensic company for review, any inhouse reviews are just the first step. 

Personally if the company is at fault and didn't secure the network or hardware you work on remotely then the fault is with them. Even if you was using the internet to download all sorts it's still in the company's interest and legally tender to keep all info secured properly and a leak of data to a minimum of a breach has happened. 

So it is a hard one to say tbh I would love to put your mind at ease. Maybe a side not tho. I once got contacted by a company looking for a security issue they had, long story short there was unknown logins to the company's cloud remotely, 1 week of full scanning checking and poking about and it turned out that the IT manager forgot his laptop charger and decided to log into the cloud from a Internet cafe in London...... there was the security breach lol. He was at fault in one way but again he didn't lose his job. 

So if we being really honest here and you know you not done anything silly or anything then, you go to your meeting, look them in the eye and say, this is no known fault of my own, before any hearings I would like a data forensic team to look into this security breach as I believe I wasn't negligent and this is a internal company security matter. 

Hope all goes well 

let us know how you get on 

Share this post


Link to post
Share on other sites

Hey Primz, maybe read all of his posts in this thread if not everyone else's.

 

@GeeBee If proof is all you need that a hack can happen, you could have one demonstrated in similar fashion to the following.

1 - Have third party pentester team or infosec people on hand.

2 - one work issued laptop, with patch level to that as it was when you were told about the issue, ie: before wannacry type patches came out.

3 -  second laptop used by infosec team as listener for reverse shell

4 - ducky with payload to spawn reverse shell to infosec team's laptop, with payload that never touches disk and only runs in memory

5 - router with only you and the infosec team connected to it to share same local subnet

From there, show them plug in the ducky to execute the reverse shell, while having the attacker laptop listening for it, and then demonstrate how they can do things to the system like copy and remove files.

This probably isn't going to be enough to get you off, but can at least demonstrate that your machine can be attacked(which all things can be hacked with the right circumstances in place).

You could even have them demonstrate some other flaws, like the recent attacks that used DoublePulsar or Wannacry, any of the shadow broker attacks for that matter, which can be modified to run via metasploit and a meterpeter session to never touch disk. There are tools for pulling your skype creds as well which would be stored on your machine and can be abused third party.

 

Share this post


Link to post
Share on other sites
10 hours ago, digip said:

Hey Primz, maybe read all of his posts in this thread if not everyone else's.

 

@GeeBee If proof is all you need that a hack can happen, you could have one demonstrated in similar fashion to the following.

1 - Have third party pentester team or infosec people on hand.

2 - one work issued laptop, with patch level to that as it was when you were told about the issue, ie: before wannacry type patches came out.

3 -  second laptop used by infosec team as listener for reverse shell

4 - ducky with payload to spawn reverse shell to infosec team's laptop, with payload that never touches disk and only runs in memory

5 - router with only you and the infosec team connected to it to share same local subnet

From there, show them plug in the ducky to execute the reverse shell, while having the attacker laptop listening for it, and then demonstrate how they can do things to the system like copy and remove files.

This probably isn't going to be enough to get you off, but can at least demonstrate that your machine can be attacked(which all things can be hacked with the right circumstances in place).

You could even have them demonstrate some other flaws, like the recent attacks that used DoublePulsar or Wannacry, any of the shadow broker attacks for that matter, which can be modified to run via metasploit and a meterpeter session to never touch disk. There are tools for pulling your skype creds as well which would be stored on your machine and can be abused third party.

 

I don't think that will help his case, as that just shows them how easily he (Graham) can do hack. Especially if it looks like a reverse shell (the company managers might not see it as a reverse shell - they'll just go 'dude, this guy pulled up some hacker stuff on his screen - what's he doing??"), it would just dig him a bigger hole.

Sure he may be showing them how someone hacked his PC and put a Skype convo on it, but it shows them that "hey, he knows his stuff man. Who says he couldn't've done it, he obviously knows a thing or two..", so I do not think it wise.

Share this post


Link to post
Share on other sites
2 hours ago, Dave-ee Jones said:

I don't think that will help his case, as that just shows them how easily he (Graham) can do hack. Especially if it looks like a reverse shell (the company managers might not see it as a reverse shell - they'll just go 'dude, this guy pulled up some hacker stuff on his screen - what's he doing??"), it would just dig him a bigger hole.

Sure he may be showing them how someone hacked his PC and put a Skype convo on it, but it shows them that "hey, he knows his stuff man. Who says he couldn't've done it, he obviously knows a thing or two..", so I do not think it wise.

I'm saying he have a team, like court/lawyer hired experts on his behalf, demonstrate the attack on a work machine setup how his was at the time of disclosure. This demonstration is merely to show that he could have been attacked in similar fashion. You then reboot, and let them inspect the laptop to see if they can detect it having happened and how, given, they will know how it was done, but at a minimum shows one way attacks like this happen and go undetected.

  • Upvote 1

Share this post


Link to post
Share on other sites
2 hours ago, digip said:

I'm saying he have a team, like court/lawyer hired experts on his behalf, demonstrate the attack on a work machine setup how his was at the time of disclosure. This demonstration is merely to show that he could have been attacked in similar fashion. You then reboot, and let them inspect the laptop to see if they can detect it having happened and how, given, they will know how it was done, but at a minimum shows one way attacks like this happen and go undetected.

Yeah. That would be the way to do it - though that still doesn't exactly help him a lot, as it doesn't prove it wasn't him it just proves that it could have been anyone.

Share this post


Link to post
Share on other sites
7 hours ago, Dave-ee Jones said:

Yeah. That would be the way to do it - though that still doesn't exactly help him a lot, as it doesn't prove it wasn't him it just proves that it could have been anyone.

Yeah, that was my point. Proof it can be hacked, but probably won't exonerate him as the one who actually did something they don't like. From my POV, no one hacked it, he did the crime, now do the time, but that is an assumption. If it was hacked, then they had to have reason and motivation to craft years worth of Skype deets, which I find unlikely. Why him? What makes him so important that this would require framing him, hacking his machine or whatever is happening with the situation. It just all around smells like fish, and if it's a true legal battle, a lawyer worth his mettle would not have their client trawling through forums. If he were defending himself, maybe, but that I think would be most unwise, and a lawyer could find maybe a technicality that could nullify the whole case against him, such as how discovery happened, if it was legal, if there were any laws broken or rights violated, etc.

  • Upvote 1

Share this post


Link to post
Share on other sites
13 hours ago, digip said:

Yeah, that was my point. Proof it can be hacked, but probably won't exonerate him as the one who actually did something they don't like. From my POV, no one hacked it, he did the crime, now do the time, but that is an assumption. If it was hacked, then they had to have reason and motivation to craft years worth of Skype deets, which I find unlikely. Why him? What makes him so important that this would require framing him, hacking his machine or whatever is happening with the situation. It just all around smells like fish, and if it's a true legal battle, a lawyer worth his mettle would not have their client trawling through forums. If he were defending himself, maybe, but that I think would be most unwise, and a lawyer could find maybe a technicality that could nullify the whole case against him, such as how discovery happened, if it was legal, if there were any laws broken or rights violated, etc.

I agree that trawling forums is quite unwise and suspicious - and trawling hacking forums to 'unframe' yourself is even more so. It is suspicious but it can also be logical. Looking at a hacking forum would be a thing someone-who-has-very-little-knowledge-about-computers would do if they got hacked. However, it would also be something that a hacker-who-messed-up-big-time would do. 

I'm not really helping here, just rambling.

Not sure if anyone noticed him say this either..

On 5/16/2017 at 6:51 PM, GeeBee said:

i know its been hacked because i know i didn't do it

*puts his Analytical Hat on* I also noticed this line..

On 5/16/2017 at 6:51 PM, GeeBee said:

is it just a hard to detect back door ? if so what is the hardest to detect ?

This line could mean 1 of 2 things..
1: He is trying to figure out if the hack he used is completely undetectable or not
2: He is trying to find out what hack was used on him

However, my understanding of this here is of something weird. He used 'if it is a hard to detect backdoor, then what is the hardest to detect' which doesn't make much sense.

Also, realise that if you were guilty, using a completely undetectable hack trying to frame yourself using a Skype conversation, why would you bring it up with the company? Wouldn't you just leave them out of it as much as possible? Why risk bringing them into it when you know they will find stuff that will frame you?

3 possibilities I can see here..
1: He's messed up, thinking they will easily see that the Skype conversation is planted (you know, like in the movies where it is so blindingly obvious to the characters that it is planted) and assuming they will assume that he wouldn't do something like that
2: He's innocent
3: He wanted to see how easy it was to get away with the hack he used - though he risked a fair bit (maybe he doesn't care about his job and just wanted to see if it was possible to stay in the job after that kind of hack, who knows)

 

Sorry, that's a bit of a wall..of text..

Share this post


Link to post
Share on other sites

Think the conversation is quite interesting, personally as per my first post I agree with digiip in that this appears to be a guilty man scratching for plausible denyability - but again its just a hunch and we will probably never know.

Also consider how many companies (with valuable data to protect) that allow employees to buy there own IT hardware, operate without restriction/policy’s on the machines or operate without VPN back to company restricting network and allowing monitoring.

So much work went into this "framing" that it doesn’t seem proportional to the value of the loss. Could also be a forum troll, for example :)

 

Edited by Just_a_User

Share this post


Link to post
Share on other sites
On 5/31/2017 at 3:19 PM, digip said:

Hey Primz, maybe read all of his posts in this thread if not everyone else's.

 

@GeeBee If proof is all you need that a hack can happen, you could have one demonstrated in similar fashion to the following.

1 - Have third party pentester team or infosec people on hand.

2 - one work issued laptop, with patch level to that as it was when you were told about the issue, ie: before wannacry type patches came out.

3 -  second laptop used by infosec team as listener for reverse shell

4 - ducky with payload to spawn reverse shell to infosec team's laptop, with payload that never touches disk and only runs in memory

5 - router with only you and the infosec team connected to it to share same local subnet

From there, show them plug in the ducky to execute the reverse shell, while having the attacker laptop listening for it, and then demonstrate how they can do things to the system like copy and remove files.

This probably isn't going to be enough to get you off, but can at least demonstrate that your machine can be attacked(which all things can be hacked with the right circumstances in place).

You could even have them demonstrate some other flaws, like the recent attacks that used DoublePulsar or Wannacry, any of the shadow broker attacks for that matter, which can be modified to run via metasploit and a meterpeter session to never touch disk. There are tools for pulling your skype creds as well which would be stored on your machine and can be abused third party.

 

Hi allll

im considering whether i should pay for my own specialists to look into this and represent me, but if im about to lose my job its money i dont think i want to be spending unless im sure it would help

theres no lawyers involve or anything like that, its just an internal company investigation

this looks interesting above, but dont actualy understand it myslef to be ale to explain it to others as an option to investigate,

sorry if i seem a bit daft, but can you explain it a little simpler especially line 4 what does that mean

then the bit that says "show them plug in the ducky to execute the reverse shell" whats a ducky ?

you then say "You could even have them demonstrate some other flaws, like......." but what flaw have you demonstrated above? how are you sugesting they hack the machine in the first place is it to do with this ducky ?

thanks in advance guys your a great help and i really appreciate it, my hearing is beginning July so not much time to get my experts in or write my counter report

 

Share this post


Link to post
Share on other sites

Get a lawyer. Find out if your rights were violated and they broke any laws or company policies. If the job is that important, be prepared to take it to court. Otherwise, start looking for a new job.

  • Upvote 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×