The strange case of the phantom intruder

About a year ago, our company detected unauthorized access to an internal system. The attack could have been carried out only by an insider or by an external attacker who had working internal credentials.

It started one morning when a sales staff member came in to find that her desktop had changed overnight. She'd left her machine locked using a password-protected screen saver, but when she returned in the morning, her e-mail client was open and her browser had been taken to AltaVista Co.'s Web site.

At first, we didn't believe her. We receive a small but regular number of alerts from staffers who think that the slightest unusual machine behavior proves that an evil hacker has taken over their machines. We have a physical access-control system that requires magnetic swipe cards at all doors in our building, so it's unlikely that an unauthorized person could have gained physical access to the user's system.

Our initial hypothesis was that the user had left her screen unlocked or had opened the applications herself before she left.

Because all Web access goes through our proxy server, we can trace activity back to a user and a desktop and extract the time of access from our logs. We use a proprietary screen saver that downloads news items from the Web and displays them on locked screens.

Our Web logs told us that the screen saver had been started at 6:03 p.m. The card-swipe system recorded the user leaving at 6:13 p.m. The Web logs showed that the AltaVista Web site had been accessed at 11:46 p.m. So the user hadn't left her screen unlocked, nor had she opened the applications herself.

We tried to think of possible explanations and kept coming up empty-handed. We knew it couldn't have been the victim, unless she was involved in a conspiracy with accomplices helping her fool the card-swipe system. But why would she notify us if she had carried out the attack?

I gathered my team to brainstorm possibilities. Perhaps someone had her password and unlocked the machine. Maybe the machine had some kind of Trojan horse code installed. We swapped out the machine for a new one and created a forensic image of the hard drive before reformatting it. We searched the image but could find no known Trojan horses.

Had we been convinced that it was a Trojan horse, we would have called in law enforcement. They have access to a database that contains the "fingerprints" (called MD5 hashes) of a large number of known files, including vendor-provided fingerprints of all of their software files. By excluding all the known Microsoft files whose signatures matched the fingerprints in the database, we could isolate any Microsoft files that had been tampered with.

But we didn't want to lose control of the investigation or risk damage to our organization's reputation so we put aside that line of investigation and interviewed the user again to see if she might have done anything to annoy her co-workers.

During that interview, the user mentioned that she shared her password with her teammates.

We shook our heads and shut down the investigation.

Obviously, one of the other staff members had unlocked the machine at some point. We could take our work no further. Instead, we helped the staffers set up a central file share so they could make their public files accessible to one another without sharing desktop accounts.

But a month later, the user was back. It had happened again: This time, had been opened, along with her e-mail. She swore that only she knew the password, so it must have been someone malicious.

We considered adding a keyboard sniffer to log keystrokes so we could tell if the abuse came from the keyboard or a piece of running code. Unfortunately, the user was using a Compaq Universal Serial Bus (USB) keyboard instead of a standard PS/2 connector, so that was impossible.

Closing In

The attacker struck again a few weeks later, and this time, we got our first real bit of luck. By linking the times the suspicious usage had happened to the swipe-card records, we could find the 10 to 20 people who had passed through the area each time. Only one name was on all three lists.

We had him! An employee of our contract cleaning company had been in the room during every incident. He had the opportunity. Now all we needed was a motive.

We called in physical security to arrange an interrogation of the suspect while I searched around the user's desk to see if the cleaning worker could have found any notes with passwords written on them that would have allowed him access to the user's account.

But there was nothing next to or under the system and its rather sleek, black keyboard. The keyboard that was it! I grabbed my phone and canceled the interrogation. The service worker was guilty of nothing other than being the only cleaner to do such a good job.

What had I noticed? Compaq keyboards have a series of buttons along the top. Called "easy access" buttons, they serve as shortcuts to commonly visited Web sites, like and, and to the user's e-mail client.

The cleaner simply brushed against these buttons while cleaning the keyboard. Although the workstation was locked, these keys still bypassed the security lock and launched the Web sites and e-mail client. (Compaq has since issued a patch.)Once again, the threat came from neither insiders nor malicious Internet attackers, but from IT vendors too keen to add new features.