Stolen Endpoint

(imported topic written by Macideus91)

Recently we had a client computer stolen…Win7 64bit machine with data on it. Normally I would be able to delete the data on checkin…however, the user reset the admin password with some password reset feature built into Win7.

I see the pc checking in everyday…taunting me. I cant delete the date now since the admin password has been changed. I would really like to include C4 with the units I could initiate a destruct button but then that seems to not work either since I don’t have rights anymore. Is there any way to change the admin password remotely. I really need some genius to step forward and give me some hope. I do have the police getting legal on the ISP for the information on the account but I am 2 weeks into this whole mess things seem to be dragging along as I just sit here waiting.

Any ideas appreciated!

-Mike

(imported comment written by cstoneba)

the besclient is still running as the system account, so it as admin rights. Just issue it a command of something like " runhidden cmd.exe /c del

.

/y"

About a year ago, I created a task for the same purpose. It first queried WMI and if there was a camera on the device, it downloaded an app and took a picture, then it used a wget command to get it’s external IP, uploaded it to the BES sever, then started deleting files. All this occured to our DMZ relay. I never got a chance to fully try it out though.

(imported comment written by Macideus91)

interesting point

they dont have a web cam installed

i did do nmap though got mac address of modem and the at&t phone mac

it has a public ip…and i tried to remote desktop but it didnt work…ie because i dont know what the password is now or if the regular user account is still intact.

we got word that the subpeona was almost ready for the ISP for them to release the info of the user. here is a kicker…it is somewhere here local. if i knew who it was…i think i would knock on a door!

(imported comment written by cstoneba)

So what would you like to do to it then? delete boot.ini so that can’t boot \up, reset their admin account, launch a webbrowser on the endpoint that opens up the website of your local law enforcment :slight_smile: You could have alot of fun with this.

(imported comment written by JackCoates91)

encrypting the drive is always a fun option.

(imported comment written by cstoneba)

I always wanted for do a “format /u” , but you can’t format your boot partition in windows. You’d have to boot to a different parition first

(imported comment written by MattBoyd)

To get control of the system, you could use a BigFix task to give it a temporary admin password using NET USER Administrator . Remember to use a random temporary password, as it is NOT a secure way to set passwords and will be available in plain text.

Disk encryption is a better option, but should be installed on the laptop BEFORE it’s stolen :wink: and may not be feasible to deploy remotely.

A format or file delete command isn’t really a good option since the data can be easily recovered. That’s why we perform a DOD-compliant wipe on the systems that we are responsible for prior to getting rid of them. We’re using Active@ KillDisk for that. It does require booting into WinPE though. You might be able to use sdelete.exe from SysInternals to securely the files using multiple passes.

Of course, if the workstation is already in the hands of the thief, you may want to assume that any sensitive information may already be compromised. Reactive security isn’t much help here.

(imported comment written by MattBoyd)

And… if you aren’t up to speed on Illinois privacy laws, you’ll want to have a look at this: http://www.igfoa.org/PersonalInformationProtectionActResources.htm .

Hopefully, you have proof that there wasn’t customer PII on that workstation?

(imported comment written by Macideus91)

imagine that…a nasty popup for local law enforcement…my god man…that is genius! make it pop up every minute! or maybe let that be the only page it will open…even better

(imported comment written by Macideus91)

Well I guess it is a good thing the information on this machine isnt from an IL resident. I will check into laws for that state though. I had mentioned to my boss that we may have to do that very thing for those files compromised. I really don’t think they have found the data. I also spoke with my boss about updating our practice and password zipping up the data folders until they have reached there destination since once they arrive we have to remote in anyways it wouldnt take too long to unpack the info and it might be more secure.

(imported comment written by MattBoyd)

Good luck, hopefully the information didn’t contain PII, and hopefully the police track down the system/thief.

I know an accountant that makes use of TrueCrypt for encrypting sensitive data. That would be my first recommendation, but a lot of organizations have policies and practices that go well beyond encrypting PII. The recent PII laws are creating a lot of new security jobs.

(imported comment written by Macideus91)

you asked what i would like to do. I want you to know much thought went into this. The best thing I could do is just wait, however by now you have figured out that I am a bit impatient. So having fun to pass the time sounds good to me. I think what I would like to do is have the machine play the theme song “Bad Boys” and make it hard to stop!

Unless you have a better idea, but i think this should be standard for stolen endpoints.

(imported comment written by SystemAdmin)

I remember reading something about a guy who had his laptop stolen. Using some similar mechanism he had the laptop pop up something like:

“This laptop has been reported stolen. The police are on their way. You may turn yourself into the local authorities and receive a reduced sentence.”

The kid turned himself in…

-Zak

(imported comment written by StacyLee)

If there is data sensitive to your company you should also consider obtaining the last access/modified times of sensitive files. The motive of the thief could just be the hardware itself or the data. Seeing as the person is logging in and using it indicates that they may just wanted the hardware for themselves. Someone seeking the data should have done this offline and then wiped the systems for parts.

If you have customer data then your company maybe obligated to report this to the customer and authorities.

Wiping the data even to just get it out of sight is not a bad idea if its quick and dirty. So they don’t happen to stumble across the data.

We had a list of files we knew had certain data on it and dumped the read times to a log file and used analyses to report the data back into the bigfix console.

(imported comment written by Macideus91)

I basically turned all the information into our local police deptartment. All they had to do was get the subpeona and fax it to the ISP. They had problems even doing that. I really don’t think he understands how a fax machine even works. So after the Modulation De-Modulation speach…It has been weeks and I still haven’t heard a word and the machine still taunts my daily life. If I don’t hear something soon we have talked about getting the state police involved.

(imported comment written by SystemAdmin)

cstoneba

the besclient is still running as the system account, so it as admin rights. Just issue it a command of something like " runhidden cmd.exe /c del . /y"

About a year ago, I created a task for the same purpose. It first queried WMI and if there was a camera on the device, it downloaded an app and took a picture, then it used a wget command to get it’s external IP, uploaded it to the BES sever, then started deleting files. All this occured to our DMZ relay. I never got a chance to fully try it out though.

That is is real cool solution to retrive stolen endpoint, is it possible to share your fixlet?

(imported comment written by cstoneba)

sorry, i can’t find it anymore.

(imported comment written by SystemAdmin)

You might find this of interest in trying to recover a stolen computer: http://forum.bigfix.com/viewtopic.php?pid=36772