Demonstrating effects of spyware

By JLLawson3 ·
I have a plan that I would like to carry out to demonstrate to employees the possible hazards of browsing the Internet on company computers. I would like to conduct a security meeting with those that handle sensitive information. During this meeting, I would ask each participant to provide me with a 5 digit number, which I would place in a text file. Once everyone had submitted thier numbers, I would save the file containing their numbers. Meanwhile, I would have created a bogus web site on our internal network... and here comes the tricky part... have placed a script that would run that would copy the txt file to my assistant in another room. He would arrive with everyones numbers.

I could probably "fake" this by having my assistant use the admin share and retrieve the file in that manner, and even if a few catch on, I think those that do would deem it justifiable.

Nonetheless, has anyone ever attempt such as this? How did you do it? Could I embed such a script?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Yeah RIGHT...

by cmiller5400 In reply to Demonstrating effects of ...

Like we believe that set up. {rolling eyes}

No help here on how to code the malicious site because others than you may read this post. Even if it MAY be legitimate request.

Collapse -

Demonstrating the effects of spyware

by JLLawson3 In reply to Yeah RIGHT...

Not sure that I like having my integrity called into question, for if I were to want to write malicious code for personal gain, I would have learned to do it a long time ago.

Still, the idea that I'm trying to get across, which I'm sure you would agree, when you deal with SSN's, DL's and bank draft numbers, it's just not something that should be taken lightly. My thought is that a demonstation of just how easy it would be to have our data compromised, would go a long way in educating our users.

I take it by your critique of my philosophy, that you 1) have not attempted to educate, 2) would not offer any thing constructive on the OFF chance that I were sincere, and 3)don't know.

Collapse -

So you don't like it.

by Ron K. In reply to Demonstrating the effects ...

Boohoo. <br>
You're assuming a lot of things too. You are basically ignorant, and even worse, can't see it. It wouldn't surprise me that some of your users have a better idea of security than you do. <br>
Quick, name 5 security tools or mechanisms in place on your network. How many do you have on your network? What operating systems and applications are on your network? Here's a good one, how many computers are on your network? Wired and wireless?

Collapse -

Do you need a match to light the flame war?

by cmiller5400 In reply to Demonstrating the effects ...

Well here's the match to light your flame war, if you want it.

I know exactly what you are trying to accomplish. Some people need to be shown what can and does happen in the 'wild wild west' to make them believe that we are not spouting nonsense. And I agree that safeguarding data is of the important tasks that must be done.

I can not tell you how many times there have been questions on this site on how to hack a password, hack a website, or bypass safeguards put in place by IT administrators. Most of the prior listed actions are illegal behavior and we don't offer advice on those issues on this forum.

The point I was TRYING to make is that I have no clue who you are. As an IT Professional, I WILL NOT help someone I don't know, do what you requested. If you were an IT professional, you would have known that there was bound to be some skeptics out there question your request and intentions, since it amounts to creating a website that could be used for data theft and not just your "demonstration". As you should know, nothing stops a person from concocting a sob story to try and get someone to help them do something illegal.

As to your "critique" of my post, you can go pound dirt and stamp your feet and act all childish.
1) I teach users DAILY. I may not be an educator by title, but I pass on information, tips and tricks to anyone that will listen.
2) I could offer advice. See my prior paragraph.
3) I could do what you want; I just won't. Period. See my prior paragraph.

It all boils down to anything posted here can be read by ANYONE. We as a community (TechRepublic peers) have made decisions as to our conduct on this forum.

Collapse -

No need to strike a match

by JLLawson3 In reply to Do you need a match to li ...

Never been in a flame war, and do not really feel like getting involved in one today.

Thank you for taking the time to further explain your position. As it is, I better understand your stance on the matter, if not your initial reaction.

And it is quite possible that I overreacted to your response.

I'm just an IT guy in a small city in Tennessee, trying to keep our data secure, and make do with the meager budget given to me by the City Council. (They are a great council, they are very supportive of most IT projects, but security just doesn't quite sink in.) (yeah BOO-HOO, "Who ain't got their budget cut!!!??")

In closing, am I to assume that there are no other suggestions on accomplishing the goal in the original post, other than ways that persons on this forum would deem inappropriate?

Thank you,

Collapse -

Use IE on an unprotected computer that'll be reformatted.

by Ron K. In reply to No need to strike a match

Surf to Warez sites, find some dodgy download sites and make note of how long it takes to get infected. Better yet, (less work) there is plenty of documentation about how long an unprotected computer will last. It seems that it's less than 10 minutes. <br>
So, what security tools are you going to use? Or don't answer. Not my problem.

Collapse -

Show then some

by IC-IT In reply to No need to strike a match

Articles and news reports on companies paying huge fines and postage when privacy information is compromised.
Usually the dollar signs will open their eyes. ;-) :-)

Collapse -

An easy demonstration would be...

by cmiller5400 In reply to No need to strike a match

To use a packet sniffer and show them the difference between secured (https) and unsecured (http) websites. One of my boss's did something similar once to show that e-mail on the network can be read in plain text, vs using encrypted e-mail. Very effective for getting the $$ in the budget for a PGP server.

I kind of get huffy/PO'd when I'm personally attacked. So I may have overreacted as well.

Best of luck in your endeavor.

Related Discussions

Related Forums