8

I mean, I'm a tech guy here in my region (not a hacker...). When I sit in the front of another person's PC, I notice a little fear about what I can do in the system.

It's obvious that I will not compromise/steal/etc the system... One of my jobs is fix systems and I'm a "ethic guy" in that matter.

But I don't know the character, the ethics, of another tech guys that fix another PCs. Actually, a great parcel of my income is from customers that have problems on PC, send to another techies; that guys "fix" the PC, and some time after the customer is knocking my door, begging for help because the another guy "destroyed" the system.

But now, I'm curious. What a (previously prepared) hacker can do when get physical access to a system? I can think about 3 different "levels" of resources that an hacker can use in that situations, that will change what he will do:

  1. He can possess a USB Drive with programs to compromise the system;
  2. He has broadband internet access in the target system, and he can do a quick download of a program;
  3. He has neither USB drives or internet access, so he will try compromise the system using some built-in operational system program or resource;

I know that the scope can be huge, so let's consider that the hacker will try ease the access from internet, so he will remote access the victm PC when he's in his home PC.

What he can do in that points? How do I to inspect the system about that kind of attack?

Karthik
  • 2,264
  • 4
  • 19
  • 19
Click Ok
  • 369
  • 1
  • 3
  • 10
  • 3
    If a "hacker" with any real experience or skill has physical access to a PC, I would just throw away the hard drive and start fresh. Hours could be spent trying to find all the possible backdoors that could have been left in the machine. – jer.salamon Aug 28 '12 at 01:03
  • 1
    With physical access, even hardware hacks could be placed, although this is outside the scope of the question. – Jacco Aug 28 '12 at 09:01
  • 3
    You missed the obvious thing he can do. He can steal the physical computer itself. – Ramhound Aug 28 '12 at 11:45
  • 1
    `Actually, a great parcel of my income is from customers that have problems on PC, send to another techies; that guys "fix" the PC, and some time after the customer is knocking my door` - While the other tech may be incompetent or malicious taking a user's story about how somebody else broke their system at face value seems like a bad idea. Many users simply don't understand the consequences of their own actions. I have fixed a system and had a user trash it in less then an hour since they wanted to re-download their crap-ware. I had told them , that it was the source of their problem. – Zoredache Aug 28 '12 at 18:45

3 Answers3

11

To focus on your individual cases:

  1. Absolutely anything he wants. Malware, rootkits, backdoors, keyloggers, the whole shebang.
  2. Again, absolutely anything. It's exactly the same as having the USB disk, because he can set up a site where he can download the files he needs, or just download them from existing sites.
  3. Wipe the disk, delete system files, write batch files, modify system services, alter configuration, etc. The list is endless. There are a lot of malicious things you can do to a system without extra tools. It'd be trivial to write a VBScript to check the current date, compare it to a fixed value, then break the system if the dates match. Drop that into a run key and you've got instant repeat business.

In the first two cases, malware enables him to have full access to the box at any time. In the third case, it's still trivial. He could set up a hidden account on the machine, which he later uses for remote desktop. He could set up remote assist. Depending on which version of Windows the user is running, he could set up terminal services. He could even uninstall security patches to enable a remote code execution vulnerability, then exploit it from home. It's really not that difficult to make a machine like that remotely compromisable.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
1

As mentioned above, in my experience with my any kind of access, most anything can physical or remote, shred it if you are not 100% sure that the hacker has not already gained root remote access.

I tend to find in personal time a friend or a peer with a thought of having been slapped with a root kit as a kind of, "cat and mouse," game of fun. But on the same level, it is only for the white hat in me to learn the means of access and how the level of permissions was obtained.

This said, in my professional experience, it would be my first thought to run wireshark, or nmap of the system and to make sure if you have a on site back-up server, to see if the back-ups have been infected or breached.

To wrap things up, if the hacker has malicious intent, and has PHYSICAL access to the system, at your own risk, attempt to recover data off of it, but dump it, recovery can be far past a option at that point.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Keegan Black
  • 61
  • 1
  • 4
1

In general, Physical security is a critical (arguably the most critical) part of IT Security. At the end of the day, almost anything can be overridden with local access to the hardware. Encryption still offers some protection but the encrypted data can be extracted directly and if it moves unencrypted on the hardware, if sufficient resources are invested, often the system buses themselves can be tapped. (This is how the original XBox's DRM was broken). Effectively, on a running system, all other security is meaningless if physical security is not maintained since any and all access could be monitored or altered.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110