Hacker News new | past | comments | ask | show | jobs | submit login

This seems like a good way of doing data exfiltration from a secured/monitored computer. Just get the source from git and run it locally in the browser, then take whatever file you want to extract, zip it, and then encode it in base64, using this to copy it to your personal phone. I bet the Goldman Sachs programmer who went to prison for uploading his trading code to an FTP server wishes he had been more clever like this.



Personal electronics are off limits in environments where exfiltration is a concern. You put your personal devices into a metal cell at the entrance, and walk through a metal scanner, airport-style.

I've experienced this in a couple of factories that build consumer-grade devices; I can imagine this to be even stricter on places where stakes are higher.


Maybe for military bases and such, but I was thinking more in the world of finance, where computers are pretty locked down to prevent people from taking valuable code for predicting stock prices or high frequency trading. In those cases, people most certainly have their phones with them, but the workstations have USB disabled, the network is closely monitored (with nearly all file sharing sites blocked completely), and anything suspicious will show up in logs.


Friends of mine who work in high-security finance have told me about some fairly exotic things. Desoldering USB ports. Epoxying cable connectors into their sockets (to prevent easy removal - without chance of significant cable/device damage leading to investigation of issue).

I can only imagine the stuff that goes on at places like the NSA and CIA where the stakes are extremely high.


Isn't it easier to store all the computers in a secure room and then just have cable runs to the peripherals?

This gets rid of most physical tampering attempts. The only one left is that the employee could cut the cord of the mouse and jerry-rig a small USB port. You could get around this by forcing the use of PS/2 connectors.


And then people would ex-filtrate data by toggling the numlock light programmatically.


Imagine being the guy who has to fix those computers when they break and finding only solutions like "just plug in this USB stick and boot from it to run this fix utility..." or the everpresent assumption that the machine is connected to the Internet 24/7.


You don't fix them.

You bring in an entirely new machine, and the old one is securely destroyed.


Oh yeah, like getting a new machine through purchasing and certified for the SCIF is a walk in the park...


You have a stock of prepared, vetted replacement machines.

You can replenish it slowly after you have just handed over a replacement.



Maybe they should be, but they definitely aren't in most places. Maybe some hedge funds ban phones but most banks don't. And having worked in several SCIFs for TS material, phones were banned but there never were scanners.


I was going to post about how there was a whole thing a few years back about how people suspected there was some malware using audio frequencies out of the hearing range to try to circumvent airgapped systems.[1]

Then I did a Google search and found that it's much more common now, which academic papers, actually developed malware and security software, and Blackhat talks on it.

So, yes, audio is used in data exfiltration, or at a minimum it's a known threat vector.

1: https://en.wikipedia.org/wiki/BadBIOS


Data loss prevention programs should be able to see you encrypting and encoding the file. Symantec’s website states it can detect someone encrypting a zip file or using PGP.

It’s a cool thought experiment. Just do it on your coworkers computer :-)


But there's a lot easier ways to exfiltrate I'd imagine. Encrypting data and using the web for transferring. This would have the effects of obfuscation, deniability and just simple data transfer.

Graphics cards are also massively high bandwidth devices... You'd need to figure out how to encode a digital signal and hook up to the wire. Or just record video off the screen.


export data as a video of a shifting qr code

sounds like a cool project


I actually wrote an implementation in Python of this exact idea:

https://github.com/ANIME-AnimeCoin/Pastel/blob/18676aa55fe0f...


There are all sorts of things that seem clever, until you think about the fact that, although nobody is paying attention now, once the stuff hits the fan, there will be all sorts of records that you were reading this article and posting in this thread and so on. And on the destination device, etc.


You could just use your phone to listen to the cpu to extract whatever you want.

https://www.pcworld.com/article/2082200/listen-up-rsa-keys-s...


Just do a fast/video QR code application. You can upload through the screen, one QR code at a time.


Their desktop session is video recorded and ocr is used for text matching of DLP.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: