Open in app

Sign in

Write

Sign in

OPSEC Failure

Gr@ve_Rose
8 min readApr 21, 2023

Back on August 18th, 2023, I went to Starbucks with a friend of mine to grab a drink. Little did I know that this innocent trip would lead to my largest Twitter interaction up until this point in my life. I’d like to go in-depth regarding Operational Security — OPSEC — and why it’s important.

First and foremost, I want to ensure that people reading this story understand what I’m trying to convey — Stealing things or interacting with things which you don’t own (or have permission to interact with) is wrong. I don’t advocate breaking the law and I’m not suggesting you break it either. This did come up a few times on Twitter and it can be hard to differentiate good from bad intentions when talking about any type of security. Do good.

My friend (who I’ll call Jane) and I met up for a coffee at a nearby Starbucks over lunch on Tuesday the eighteenth. There were only three people behind the counter (one person on cash and the other two running orders) so there was quite a line-up. I asked Jane if she wanted to stick around or go somewhere else to which she replied that since we were here already, we should just stick it out. While making idle chit-chat about how busy we were at our respective jobs, something caught my eye…

You see, at Starbucks they often have long tables where people can just sit, enjoy their beverages or snacks and maybe even get some work done. I believe Starbucks put these tables in so that people at the same table could make new, random friends who were also seated at the table. It’s a neat idea to help facilitate the feeling of community. This day, seated at the table, was a man working on his laptop. The thing that caught my eye was that he got up and went to the washroom. But why did this catch my eye?

I tapped Jane on the shoulder and pointed out what I saw. She’s not into *Sec and didn’t immediately latch onto what I was so excited about. I pulled out my phone and snapped a picture before explaining to her what I’m about to type out in this post. I kept an eye on the items on the table to make sure nobody else did anything to them and after about four or five minutes, the man returned from the washroom and kept working.

The first thing that popped into my head was to talk with the man about how dangerous it was for him to leave his stuff unattended like that but I left it alone as I didn’t know what his posture would be like (angry, defensive) and didn’t want to drag Jane into all that hullabaloo. I figured that I would keep in line with my Neutral Good nature and gave myself an imaginary pat on the back for keeping an eye on his items.

“What are the actual threats?”, I hear you ask. I’m going to go over them right now so buckle-up. We’re going to look at this from a threat actor’s position, as if we were the “bad guy”.

The Bag

The bag itself is a very prominent attack opportunity for a threat actor. The immediate threat of going through the bag and taking something from within would only take a moment or two. Think about what may be in your work/computer bag or what other people may have in there… Work pass (can be cloned), notes (can be stolen and/or photographed), identification (gives away where you live/work), wallet (can be stolen and/or photographed) or perhaps a journal (can be stolen and/or photographed). All of these are items which would give a threat actor leverage over the victim in some fashion. The threat actor could use their place of work to track them and find out where they live by following them. The journal may have information on routines the victim follows or what interests they have. Cloning a work pass with a Proxmark (or similar device) can be done very quickly and now the threat actor can access the victim’s work area as if they were the victim.

Now imagine it’s your bag and the threat actor threw in a small GPS device — like an Apple AirTag — into the bag. The threat actor now knows where that bag is at all times. And if you bring that bag with you almost everywhere, the threat actor knows where you are.

The Phone

Phones aren’t really stolen as often anymore since device security has improved greatly over the years but there are still some attacks that could be considered against a phone left alone like this.

Some applications use SMS-based Multi-Factor Authentication (MFA) which is where you log into a service and the service will send you an SMS with a one-time code. This acts as a second password, if you will. If we, as the threat actor, know that our victim uses SMS-based MFA and we have their password to a service, we just need to separate them from their phone while we get that code. While this is not a very opportunistic attack for a scenario like we’re facing, it is still a viable attack.

Another non-opportunistic attack would be to use the phone in conjunction with a physical and/or social engineering attack. Our threat actor group has an asset where we lie to say that “John Doe” is our contact who gave us permission. Should someone call the real “John Doe”, our cover will be blown. But if we control the actual phone, we can pretend to be “John Doe”. Again, this is a very specific scenario but plausible in a certain situation.

The last attack that comes to mind which is very opportunistic, is cloning the SIM card from the phone. Once we’ve cloned the SIM card, at some point in the future, we can use that in our own handset and have now fully taken over John Doe’s mobile.

The Laptop and RDP

This is the big Kahuna, right here. There are so many attack vectors available to a threat actor (both opportunistic and non) since the laptop is unlocked and logged into another machine through Remote Desktop Protocol (RDP) — Essentially granting a threat actor access to two individual machines.

Let’s start with the quick ‘n dirty attacks of destruction which could be performed on either machine. A threat actor could quickly open a shell (or command prompt) and delete files. Depending on the type of command run, the files may or may not be recoverable. Imagine going to the washroom and coming back to your workstation only to see that all your user files are gone. They’re not in the Recycle Bin — They’re not anywhere. Now imagine if you had some sort of elevated or administrative privileges on the machine you’re RDP’d into and all the files on that machine were gone as well. *poof* All your work as well as all the work anyone else stored on that machine has been irrevocably destroyed.

# Let's create a small script to
# irrevocably destroy all the files
# in the user's home directory...
for file in $(ls -aR $HOME); do
  shred -n 7 -z $file
done

Another attack vector would be installing a Remote Access Tool (RAT) which would likely connect into a Command and Control (C2) server run by the threat actor. While there are protections in place (such as XDR, AV and the like) to help prevent against such software being run, there are always ways to get around this. If a threat actor has the knowledge and has developed a custom RAT or C2 implant to bypass the protections, then these machines can now be controlled by the threat actor over a longer period of time. “But wouldn’t that take a long time to set up on the target?”, you ask. It could unless you’re using a hardware tool like the amazing Hak5 Rubber Ducky (https://shop.hak5.org/products/usb-rubber-ducky) or the versatile FlipperZero (https://shop.flipperzero.one/) using the BadUSB feature. These can help a threat actor perform tasks in a fraction of the time it would take a human to accomplish.

It’s also possible to plant something malicious in an application that is installed on either the laptop or the RDP target — Although difficult to see in the photo, this person had some sort of programming code loaded up in the RDP session. A skilled enough programmer could quickly implant or otherwise embed malicious code that the victim may not notice for a while, if ever at all.

Data exfiltration would be pretty simple to do as well. By plugging in a USB stick or other portable storage device, you could likely acquire a lot of files off the computer. Even more so if you had an accomplice watch the bathroom door and run interference against the target to give you more time.

These are just a few ideas of what could be done to an unlocked system — The possibilities are almost endless. Keystroke logger, anyone?

The Drink

Yes, the drink. The drink is an attack vector as well should someone decide to add something malicious to it. You may be thinking that poisoning someone is a bit much and, you’re right, it is. But I’m not talking about killing someone with cyanide… You could switch the drink so the victim left to complain about it which, in turn, would give you more time on the other devices. You could add something less-toxic like ipecac oil to induce vomiting in order to make the victim sick and further attacks against them — A threat actor could swoop in to take their “friend” outside and take care of him while, in reality, the target has now been kidnapped.

The Reality

Some of you reading this might be thinking that everything discussed here is way out there, only in the realms of James Bond or Jason Bourne and that nobody would actually do stuff like this. But here I am, proffering these suggestions and I’m not on the “Bad Guy” team.

Winnie the Pooh

There’s something else that I haven’t touched upon yet. This could have been a physical honeypot. Sometimes, in *Sec, administrators will create sites with real fake data stored in it. By doing so, they are able to watch the threat actors, learn what techniques they use and even have the threat actors arrested. It’s entirely possible that the police had staged this in order to provide a honeypot to would-be criminals, hoping to catch them in the act and arresting them.

Now imagine yourself, a good natured person, seeing this unfold. Maybe you want to let the person know that this is poor OPSEC but, instead of confronting them, you want to leave a note on their desktop. You walk over to the laptop, fire open a text editor and leave them a message. Turns out, however, this was a honeypot and you get arrested for a computer crime. Even though you had no ill-intentions, you’ve not got an arrest record and possibly a conviction.

It would be great to live in a world where we didn’t have to worry about this type of threat. The unfortunate reality is that we don’t live in that world… Yet. Make sure you practice good OPSEC: Take your stuff with you if you have to leave the area. Always lock your workstation. Check your bag(s) before you leave. Perform the pocket-pat-down to make sure you’re not leaving anything behind. Display as little as possible to those around you. Be aware of those around you. Anyone could be a threat actor. Anyone.

Opsec
Infosec
Fail
Security

--

--

Gr@ve_Rose

Written by Gr@ve_Rose

13 Followers

CSO, Security Engineer, RedTeamer, PenTester, Creator of https://tcpdump101.com, Packet Monkey

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams