This paper explores the attack concept of piggybacking, and the two main categories associated with it, as well as the similar attack of tailgating. Examples are given, following an explanation of the nature of piggybacking attacks, as well as some means of prevention.
In order to explain piggybacking, consider it as an example in a real-world situation: You buzz a friend at his apartment building. While waiting for him to release the door lock, another occupant opens the door and goes in. You follow, going in as well. In analyzing the situation, you are not a resident of the building and don't have the means to gain access to the building. However, you 'exploit' the access capabilities of another person (the legitimate occupant) and enter the building anyway.
Piggybacking is a particularly interesting type of information attack, as it can be done both electronically and physically. Both are equally threatening and potentially dangerous breaches of security, and both usually involve some type of inside aid.
Electronic piggybacking can take place in an environment where access to computer systems is limited to those individuals who have the proper user ID and password (or other means of authentication). Once the terminal or workstation has been successfully logged into, it can be compromised by an attacker on a covert workstation that is connected to the same line. Here, the attacker can remotely use the workstation when the legitimate user is not - the computer cannot differentiate between the two workstations and senses only one authorized user. Another form of electronic piggybacking takes place when a user fails to properly terminate a session, the logoff is unsuccessful or attends to other business while still logged on. In this case, the attacker can take advantage of the active session. Basically, electronic piggybacking involves an attacker intercepting any type of electronic communication and substituting their own message to be sent to the rightful user or system.
Physical piggybacking occurs as the exploitation of a false association to gain any type of advantage. Basically, an attacker can slip behind a legitimate employee (who is cleared for access) and gaining access to a secure area that would usually be locked or need some type of biometric for entrance. Success in this form of piggybacking heavily weighs on the quality of the access control mechanism (door lock, key card device, etc.) and the awareness of the legitimate user in resisting or allowing intrusion by others.
Tailgating involves connecting a user to a computer in the same session as (and under the same rightful identification as) another user, whose session has been interrupted. An example of this situation would be when a dial-up session has abruptly terminated and the communications controller allows for the illegitimate user to be patched into the legitimate user's still-open files. The problem here results in administrators setting the controller to send 'data-terminal-ready' signals constantly, so the modem will quickly pick up a new session after the disconnection from the previous. This sometimes allows a new session to tailgate on the old session, potentially letting an unauthorized user gain access.
Potential Perpetrators: Unauthorized employees and former employees, employees or staff of a vendor, people under contract for some type of service or outsiders.
Prevention and Detection: potentially highly difficult. The high degree of human error may thwart some preventative methods and detection schemes.
An interesting point is that piggybacking is made easier by psychosocial factors, like politeness, where it's considered a social norm to hold a door open for a colleague or guest. This type of security violation may not register as one, because such behaviors are socially accepted. Also, locking up one's workstation for a short break may make a new user uncomfortable, as it implies mistrust in other employees. Piggybacking is often an attack used in conjunction with social engineering and impersonations.
Once the piggybacker has access (either electronically or physically), he or she can do everything that legitimate users can, and them some, depending on the motives. The severity of this type of attack is potentially very high as well, because any form of theft, diddling, deletion, Piggybacking exploits the underlying threats to confidentiality, integrity and accessibility of information.
Although potentially difficult, there are a number of ways in which both types of piggybacking can be detected:
Through general observations of physical and electronic access
Interviewing witnesses or employees
Examination of journals, logs, audit trails or security videotape
Viewing messages that may be out of sequence
Specialized programs that that can track and analyze characteristics of user logs-ons and computer accesses.
2002: Brilliant Digital Entertainment (BDE), a California-based advertising company had been distributing its ad technology with the Kazaa P2P (peer-to-peer) software program. Based on the results of an annual report by BDE, it actually had been distributing more advanced programs with Kazaa, ones that could remotely turn people's PCs into new network nodes, host and distribute 3rd party content and borrow unused processing power. Of course, most P2P programs have spyware or other programs piggybacked on them, as a means of advertising companies to collect and circulate information. The user unknowingly allows this type of activity to occur, by agreeing to and skipping over the details of the activity contained in the Terms of Service. BDE asserts that using P2P software in such a fashion helps distribute content more quickly and establish networks of ad or file servers. These instances of piggybacking are at the concerns of privacy rights advocates, as it occurs frequently.
2001: Along the same lines, there has also been instances of piggybacking software for data mining purposes within similar programs like Napster and Gnutella. Here, a company called BigChampagne distributes types of piggybacked software that can search a user's hard drive for certain bits of information (a specific mp3, for example) and point advertising information, personalized instant messages and other data at the user.
2002: There are also instances of computer viruses piggybacking each other. Take the Klez virus for example, which in May 2002, was deemed #1 most widespread by the Russian antivirus company Kapersky. Klez had been accountable for 96% of all reports of virus attacks during that time frame. Another 1% of virus attack reports had been made about two other viruses, CIH and Elkhern, which were found to actually piggyback Klez.
There are numbers of ways to prevent piggybacking, especially physically. There are a plethora of physical access technologies that are cropping up, as a means to keep intruders (piggybackers and social engineers) out. Key card and key pad access control systems are already widely used, but once access is granted, anyone could pass through the door.
Appropriate awareness training and practice is key. Employees should be trained to spot others attempting to piggyback on their access capabilities. This level of awareness can essentially help the reduction of human error in piggybacking attacks.
"Deadman" doors consist of a system of two doors, with a holding area in between. In order for the second door to open, the first must fully close and lock, with only one authorized person in the holding area.
Revolving doors are a means to control the number of people coming in and going out. They can be implemented with different types of verification devices, such as a biometric technology, a card swipe or pushbutton behind a guard desk. Revolving doors consist of four compartments that form a secure barrier against the outside. They isolate the secure area from the non-secure area, and allow one (authorized) person through at a time. Revolving doors are considered by many in the security profession to be "always closed" (to direct airflow, pollution, unauthorized people) and "always open" (for those with the proper access validation).
Other more advanced anti-piggybacking methods include those aimed at protecting assets, like having weight sensors in the flooring of an exit, preventing heavy objects (computers, file boxes) from being carried out. Such door sensors can even prevent the exit of a person carrying a briefcase, to where they'd have to stop and have it examined by a security officer.
Real-world examples of physical piggybacking seem to be a bit hard to come by. I'd be interested in doing some deeper research into this type of attack - as to how frequently it occurs, how it correlates to the element of human error to information protection, and whether or not victims of physical piggybacking (and the other types of attacks that follow) are willing to report such a vulnerability in their security scheme.
Overall, both types of piggybacking are significant attacks and are relatively difficult to fully assess. Piggybacking can lead to a chain of attacks, which develop from the initial exploitation of a legitimate user. It's also difficult to find a perpetrator, as they carry out their malicious activities and hide behind their victim's identification.
. CISSP - Piggybacking and Tailgating.
. Crime Stoppers - Computer Abuses: Piggybacking and Impersonation.
. All.net's definition of Piggybacking.
. NCSA Guide to Enterprise Security.
. Ethics, Spies and Piracy: PPT Presentation.
. Edgar, Stacey L. Morality and Machines: Perspectives on Computer Ethics. Sudbury: Jones and Bartlett Publishers, 1997
. Risk Assessment.
.CNet News: "Stealth P2P Network Hides Inside Kazaa".
. Wired: "Piggybacking P2P".
http:/ /www .wired.com/wired/archive/9.05/mustread.html?pg=3
. CNet News: "Klez Attack May Wipe Out Attacker".
. Internal Audit and Risk Management Community: Physical Security
. Controlling Access Through Revolving Doors.
. Government Security: "Always Open, Always Closed".