Hacker News new | past | comments | ask | show | jobs | submit login

This makes me think of an even more straightforward attack. How hard would it be to actually just ship them computer hardware and hope it makes it into the system?

I mean, if a package that looks like it came from NewEgg containing a router shows up, especially if it matches the type the company usually uses, which wouldn't be too hard to figure out, what are the chances it just gets tossed on a shelf to be used next time one is needed? Or do companies have sophisticated controls in place for something like that?

Or just leave a usb stick (really have it be a usb rubby ducky or bash bunny) in the parking lot. Someone will find it and be like "OH I wonder whose this is, it could be important, I better plug it in and found out." TaDa, you now have a shell to their network.

It's the opposite -- companies lack sophisticated controls and without impetus they'd just never get the item into teh right place to use the item.

Maybe if you shipped it at the same time someone was expecting it, you could get it to someone who knew what to do with it. Or ship it to the newegg/amazon warehouse to get mixed in with regular deliveries.

This is sort of what NSA did to Cisco routers...


Package everything up in a Kinesis Advantage.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact