The Wolf and The Sheep
Understanding the Weaknesses of the Greatest Database Security Systems
Sheep never realizes a wolf around until it is too late. Then they do exactly what the wolf expects them to do. They run into each other. They fall down. They become dinner.
In a world full of increasingly advance technology, it is important that an organization starts to pay attention about their data. However, the common phrase of “a chain is only as strong as its weakest link,” also applies to the security system of database.
Imagine a case as below:
- A hacker manages to hack the OS of the printer used by the organization, then
- The hacker manages to capture the image of the printed data and the data stream.
It is easy for an eager hacker to do that, because there is no consumer printer sold today that has built-in malware protection. By using the vulnerability of the wireless network application in the printer software, a hacker can use his/her phone to wirelessly intercept the printer’s data stream until the found what they are looking for. Sometimes, that data can be as crucial. But usually, the “gold” can be hidden in a plain sight, such as the employee data. After they are able to find the data they need, now it is only a matter of time that they are able to ruin the stuffs that ultimately could destroy any future of that organization could hope to have.
People. They are easy to manipulate. They can be easy to fall in believing what is wrong as right. People also the heart of any organization, the vein, and the brain. They are the strongest assets in protecting their valuable data, but also the major weaknesses of it. People cannot be constrained to certain set of rules, because sometimes they make mistake.
Let us continue with our imagination:
- The hacker has a hold of one of the employee’s personal data.
- They sent an email to her, appearing as a gift certificate. All the he/she got to do is print it.
- Then the victim fall into the hacker’s trick and did print the email as expected by the hacker.
“What can be go wrong?” you may have asked. Many, the answer is. At this point in time, the hacker now has access to any of the computer in the organization’s network. None of the printers automatically monitor for threats, so that “gift certificate” the hacker just sent the employee to print, was actually hiding a malware in the print stream, smartly bypassing the company security. It means, now the hacker can use the printer to get around the firewall, and access all the unencrypted data, and route it to themselves. It is mouthful, but actually really simple.
Because many organization’s IT do not automate their security monitoring, not only can the hacker see every document that gets printed in this place, they can also see all the good stuff hiding on their computers, too. It is amazing, of how much stuffs people leave in the office, including their personal information. The ironic thing is that these people have probably spent a fortune securing their network and servers, but, because no one bother to arm any of their PCs with the BIOS defense system, some kind of malware can be free to do its thing.
The ultimate attack may include some huge elaborate plan to worm their way into the video conference, etc. But actually, they did not have to. It comes back to the problem with the people, as again they may fall into mistakes. They may have left some part of the printed confidential document right off the printer, as they forgot to pick it up. So now, it is just sitting there, waiting for anybody with a willing to pick it up, and share it. It is easy for a printed document get mishandled and go unclaimed.
The problem gets arising quickly. First, the hacker get control of the printer. Second, the got control of the network. Then, they got control of the data. Lastly, they can determine the future of the organization as they wish. However, the truth is, the hacker may not have anything against them. The victim may seem like a perfectly nice people. But, that is beside the point. The reason may be simple, because they can.
And who knows, maybe next time they would come after yours.
by Adistianto Yuwono (1801431044)
Lecturer : Marisa Karsen/D4639