Tuesday, April 28, 2009
I'm Stealing A Laptop Today!
Don't get excited. I haven't gone over to the Dark Side.
Besides, it's my own laptop. That is, it's the laptop my employer has issued to me. And I'm not taking it home in my lunch box. This time.
I'm stealing it virtually!
You see, nobody steals laptops for the hardware anymore. It's all about the data. With the right access level, laptops, or any computer, can be stolen without ever busting a lock or leaving a fingerprint.
All with free tools easily available over the Internet. I'm not talking about "hacking tools" - you have to be brave to use that crap these days because you never know what might be hiding in them - I'm talking about legitimate software distributed by legitimate companies. In this case, VMware.
VMware distributes a nice little tool called the VMware vCenter Converter which allows you, among other things, to turn a real nuts and bolts box into a virtual machine.
Which is exactly what I'm doing now. As I type this, the bits and bytes of the hard disk in my laptop are flying over the Internet to a VMware server in my family room. When it's all over I will have an exact copy of my laptop, minus the hardware of course.
This is really No Big Deal. Anyone with the right amount of access can do this surreptitiously in your IT environment, cut the image to a USB thumb drive and take it home to hack at their leisure. Or sell to the highest bidder.
The trick is in doing it over the Internet. If I had a 32G USB drive I'd probably do it that way, but I don't. What I do have is a cable modem and three covert channels back to the office.
Plus an aging Linux box that I talked a former Boss into letting me install on the corporate network over eight years ago. If I had my way, Linux would only be allowed under the strictest security policy possible - it's just too damned powerful for mere mortals.
The biggest problem to overcome is establishing a common network share for the corporate and VMware boxes. That is accomplished with OpenVPN, the BEST damned Open Source SSL VPN on the planet.
That is covert channel #1. Channels 2 and 3 are port-forwarding SSH tunnels that connect back to HinkyNet over the corporate proxy. One of the SSH channels is established with a Cygwin service running on my corp workstation. The other is a bash script on a Debian VM that runs on the VMware GSX server on my workstation. All three will reconnect if the workstation is bounced and there is enough redundancy so that if any two of them go down the third can be used to bring the other two back up.
In practice, OpenVPN is the hardest to keep running, but that is due to the security limitations in our environment (many of which are of my own doing).
And because of that issue, I'm on my second attempt at this Proof of Concept exercise. I started yesterday and got 15 gigs downloaded before the OpenVPN connection crashed at 5AM this morning. I can also do this just as easily over SSH tunnels, but that would require using the VMware 2.0 server on my MythTV box, which currently has too much disk space dedicated to unwatched recordings of "Terminator" and "Life on Mars"!
The first time through is always a learning experience.
But the point remains: given enough time and enough access and the right tools, an insider can walk away with your company's entire IT infrastructure. I'm already looking into what can be done about this with the tools our company already has (like everyone else in this economy we're not spending cash we don't have). VMware and virtualization in general is so hot, no one is looking into the security implications these tools bring with them.
Or at least they're not publishing.