I have a plan that I would like to carry out to demonstrate to employees the possible hazards of browsing the Internet on company computers. I would like to conduct a security meeting with those that handle sensitive information. During this meeting, I would ask each participant to provide me with a 5 digit number, which I would place in a text file. Once everyone had submitted thier numbers, I would save the file containing their numbers. Meanwhile, I would have created a bogus web site on our internal network... and here comes the tricky part... have placed a script that would run that would copy the txt file to my assistant in another room. He would arrive with everyones numbers.
I could probably "fake" this by having my assistant use the admin share and retrieve the file in that manner, and even if a few catch on, I think those that do would deem it justifiable.
Nonetheless, has anyone ever attempt such as this? How did you do it? Could I embed such a script?
Thanks!
This conversation is currently closed to new comments.
Not sure that I like having my integrity called into question, for if I were to want to write malicious code for personal gain, I would have learned to do it a long time ago.
Still, the idea that I'm trying to get across, which I'm sure you would agree, when you deal with SSN's, DL's and bank draft numbers, it's just not something that should be taken lightly. My thought is that a demonstation of just how easy it would be to have our data compromised, would go a long way in educating our users.
I take it by your critique of my philosophy, that you 1) have not attempted to educate, 2) would not offer any thing constructive on the OFF chance that I were sincere, and 3)don't know.
Boohoo. <br> You're assuming a lot of things too. You are basically ignorant, and even worse, can't see it. It wouldn't surprise me that some of your users have a better idea of security than you do. <br> Quick, name 5 security tools or mechanisms in place on your network. How many do you have on your network? What operating systems and applications are on your network? Here's a good one, how many computers are on your network? Wired and wireless?
Well here's the match to light your flame war, if you want it.
I know exactly what you are trying to accomplish. Some people need to be shown what can and does happen in the 'wild wild west' to make them believe that we are not spouting nonsense. And I agree that safeguarding data is of the important tasks that must be done.
I can not tell you how many times there have been questions on this site on how to hack a password, hack a website, or bypass safeguards put in place by IT administrators. Most of the prior listed actions are illegal behavior and we don't offer advice on those issues on this forum.
The point I was TRYING to make is that I have no clue who you are. As an IT Professional, I WILL NOT help someone I don't know, do what you requested. If you were an IT professional, you would have known that there was bound to be some skeptics out there question your request and intentions, since it amounts to creating a website that could be used for data theft and not just your "demonstration". As you should know, nothing stops a person from concocting a sob story to try and get someone to help them do something illegal.
As to your "critique" of my post, you can go pound dirt and stamp your feet and act all childish. 1) I teach users DAILY. I may not be an educator by title, but I pass on information, tips and tricks to anyone that will listen. 2) I could offer advice. See my prior paragraph. 3) I could do what you want; I just won't. Period. See my prior paragraph.
It all boils down to anything posted here can be read by ANYONE. We as a community (TechRepublic peers) have made decisions as to our conduct on this forum.
Never been in a flame war, and do not really feel like getting involved in one today.
Thank you for taking the time to further explain your position. As it is, I better understand your stance on the matter, if not your initial reaction.
And it is quite possible that I overreacted to your response.
I'm just an IT guy in a small city in Tennessee, trying to keep our data secure, and make do with the meager budget given to me by the City Council. (They are a great council, they are very supportive of most IT projects, but security just doesn't quite sink in.) (yeah BOO-HOO, "Who ain't got their budget cut!!!??")
In closing, am I to assume that there are no other suggestions on accomplishing the goal in the original post, other than ways that persons on this forum would deem inappropriate?
Thank you, JLLawson
Collapse -
Use IE on an unprotected computer that'll be reformatted.
Surf to Warez sites, find some dodgy download sites and make note of how long it takes to get infected. Better yet, (less work) there is plenty of documentation about how long an unprotected computer will last. It seems that it's less than 10 minutes. <br> So, what security tools are you going to use? Or don't answer. Not my problem.
Articles and news reports on companies paying huge fines and postage when privacy information is compromised. Usually the dollar signs will open their eyes. ;-) :-)
To use a packet sniffer and show them the difference between secured (https) and unsecured (http) websites. One of my boss's did something similar once to show that e-mail on the network can be read in plain text, vs using encrypted e-mail. Very effective for getting the $$ in the budget for a PGP server.
I kind of get huffy/PO'd when I'm personally attacked. So I may have overreacted as well.
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Demonstrating effects of spyware
I could probably "fake" this by having my assistant use the admin share and retrieve the file in that manner, and even if a few catch on, I think those that do would deem it justifiable.
Nonetheless, has anyone ever attempt such as this? How did you do it? Could I embed such a script?
Thanks!