Slashdot Mirror
Social Engineering Using USB Drives
Iphtashu Fitz writes "What's the easiest way to hack into the computer systems of a credit union? It turns out that all you need to do is copy a virus/trojan onto USB drives and scatter them around the front door of the credit union. This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors."
Thats an amazingly clever idea. "Hey, free stuff" is what I would think. And then plug it into my ubuntu box :)
"Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
Will have to try it...
I thought of that a while back..be easy to infect people. Just hand it to them and ask them what's on it. Windows is happy to run it.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Now all I need are some USB Thumb Drives.
On an unrelated note, does anyone have any USB Thumb drives they dont need?
Given autoplay and the fact that many USB keys do not need drivers, this could turn out to be a serious problem.
Why not just disable USB keys? They don't need to take that data home with them...the ChoicePoint disaster, several laptops stolen out of cars... these companies need to make are personal data more secure.
I better unplug that USB drive I found this morning.
Most people who work in an office do not read this website. Therefore they will probably still stick USB drives they find into their computer be the victims of identity fraud, corporate espionage, etc.
This is going to be a hard one to stop. Humans are curious, when you find a cd, hard drive, thumb drive, the first thing your going to want to do is stick it in your computer and find out what juicy secrets are on it.
My best advice for corporations is to lock down the computers and only allow approved devices by security profile. Trying to train people not to act like people will fail.
Any better ideas other then beating the users with a stick or JB Weld in any unused ports on a computer.
I would've put autoplay Goatse on them, personally.
I remember when was a "common practice" to remove or glue floppy disks at schools...
But USB pose a different trouble. There ARE useful usb devices, like mouses and keyboards...
And further more... there are phones and digital cameras, and even thos 5 in 1 memory readers that can be used to substract information or leak viruses...
or even worse, specific purpouse programms, likt the used at the "audit"...
And also one thing I wonder, is what Antivir was "protecting" the machine? Is nt antivir doing heuristics to look after strange things at the computer, like "something" trying to get the addressbook?
Â_Â
I tried using something like this for my senior prank at school. I wanted to add a startup item that pointed to shutdown.exe on the XP systems. :)
.vbs, .bat, .exe, or even .txt files. Nothing. How could they get it to autoinstall? I know there's U3 type stuff, but that creates a fake CD Rom drive due to a CDFS partition on the flash drive itself...
I simply could NOT get anything to autorun from any type of flash drive. Autorun.inf wouldn't run
How could they get the trojan to autorun on insert? And if you're picking crap up off the ground, why wouldn't you hold shift while plugging it in if you were running Win?
Since the users were required to actually execute something on the usb stick, couldn't this have been done years ago on floppies? Clever, kinda... but not new is my guess.
http://psychicfreaks.com/You've probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets.
There you have it -- invest in fancy firewalls, make people change their passwords every 90 days, filter email from spam, phish, virii, and trojans, and then sit back and watch as your employees bypass all those lovely defenses and lay your system vulnerable.
I've said it before: there's no use building a wall, firing up the boiling oil, and digging a moat and filling it with sharks if you're going to build an 8-lane superhighway through it. Companies are trying to crack down, but the myriad ways that information can get stolen or transferred from a system are enourmous. USB drives, camera phones, MP3 players -- anything that can store data is a potential point of vulnerability, one which a company will be hard pressed to monitor or control. Couple that with this sudden rash of stolen laptops carrying unencrypted and often sensitive data, and the there's no reason for hackers to work too hard any more, when they can just have data handed to them.
GetOuttaMySpace - The Anti-Social Network
I have to admit, this had me laughing out loud! :) I do security audits often, and I know this 'attack' would work almost anywhere.
Add this to your weekly 'security' email/meeting as I have a feeling this may happen a bit more often now...
Cybie! aka Ralph Bonnell
However it is simply solved by disabling the USB ports either physically or via the registery which they should have been in the first place.
I'm going to try this with CDs.
Tomorrow's hottest slashdot article may feature my "tests"
----- You know you have ego issues when you register a domain in your name.
They run NT 4. :)
Before I'd even think of something like this, I'd want signed original 8.5x11 floppies giving me explicit authorization to attack^Hevaluate systems like this.
Even then, the DHS might come after the evaluators or possession and willful use of destructive tools.
I'll say this at a risk of sounding like a severe linux fanboy, but... Linux users had this solved a long time ago. Just edit /etc/fstab to not allow normal users to do any mounting (I mean, besides the obvious fact that Linux can't run windows binaries, thus eliminating all the worms and trojans, as well as any other malware you can name). Please, people, just move to linux and your automount/autorun problems will be all solved! No complicated solutions involving proprietary registry editors, just call up vi or emacs, even ed will do the job! If you use OpenBSD, you can even encrypt your swap partitons! (don't know if this exists for other os's too). Old news: window's isn't secure (yet). Having retard employees who pop in anything they find on the street into their computer doesn't help.
If they were running Linux the solution would be easy: disable USB Mass Storage in the kernel. USB mice and keyboards will still work, but they won't be able to read their thumb drives.
but poor execution.
__________________________ Examining data should not lead to altering other___ data. Still less system files. Microsoft is a____ crufty bugfest. Nothing more to see here ... move along.
No, this isn't something that patches would fix. I could easily write a program that has no visible effect---or perhaps pops up a funny picture/animatin or something---that, in the background, uses the administrative privileges it runs with by default to do lots of exciting things. Heck, even without admin privileges I could execute the idea from a few threads up (sticking a shortcut to shutdown.exe in the user's startup folder). It has nothing to do with patches: once the user runs my program, it's all over, no matter how patched they are.
WTFSM is with the underscores?
"May the days be aimless. Let the seasons drift. Do not advance the action according to a plan."
The first thing I do when I find a USB stick is to plug it in and open up documents to see who's it is. I mostly find them around campus, so a name on a paper lets me do a school directory look up. Shame to think I could get a virus from trying to help someone out, good idea and interesting application of USB sticks.
Devise, Repair, Solve, Build
Why does it scream "unpatched" to you? Did you read the article? The computers weren't infected by old exploits -- they were infected by a Trojan that had been custom-written for the job. No patch or anti-virus software is going to detect a Trojan that's never been seen before. It's really pretty easy to write a little program that will autorun when Windows mounts a drive.
Furthermore, why do you put so many underscores in random places in your post?
Karma: Terrifying (mostly affected by atrocities you've committed)
The scattered 20 trojan drives around the outside and 15 get picked up by their target. Notice how the don't bother saying what happened to the other 5. Did they not get used, not get found, found by other people? And you know some of those employees took the drives home and their personal information was captured. Yes it's a cool hack but unless the trojan was coded to only execute on machines with a certain MAC address it was ethically wrong.
My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
I get autorun whenever i pulg in my USB HD, or any cards into my card reader? XP Pro SP2. Also, your average user wouldnt know about holding down shift...
"Sic Semper Tyrannosaurus Rex."
"Humans are curious, when you find a cd, hard drive, thumb drive, the first thing your going to want to do is stick it in your computer and find out what juicy secrets are on it."
Shame that doesn't work with women.
Sorry to be a spelling/grammer nazi, but just what kind of word is mouses?
'sides, I always thought the plural of mouse was meese? (Or, is that the plural of moose? No, that's moose.)
You could've hired me.
"No, really, it's just a test, I'm not bad! Look, I have a Slashdot login!"
It's pretty scary how the thumbdrives were plugged into company computer systems. You'd think the employees would know better. They work at a credit union, a literal gold mine of personal information that should be carefully guarded. I admit I would have had the same reaction as the parent and would have instantly jumped at the opportunity for free flash memory. But I would have tested the thumbdrive on an isolated computer at home first and definitely not on a computer which could possibly reveal other people's sensitive information to the world.
I buy a lot of office supplies, where can I get such a deal on sharipies?
every day http://en.wikipedia.org/wiki/Special:Random
Though I'm stating the obvious this is related to the one biggest problem for I.T. today and in the next 20 years - the end users and their tendancy to click things they shouldn't, circumvent measures to stop them doing things they shouldn't and not paying attention to dialog boxes correctly... But if every end user all of a sudden stopped instaling worms, viruses and spyware I think a good 10% or more I.T. support workers would be out of a job - I can see a possible conflict of interest there!
The real culprit is MS's AutoPlay or AutoRun though. That is how 500,000 users got infected with the Sony Rootkit.
Label it "Joe's MP3s" or "JenniCam (archive)" or what have you, or just leave an unlabeled CD or DVD laying around somewhere. Guaranteed someone will open it without holding shift key to disable autorun. Cheaper and more reliable than a USB keys.
it's a blue bright blue Saturday hey hey
Banks and other organizations with shared computing requiring high security should consider thin clients rather than PCs. There should be no drives on bank teller computers to transfer data either onto or off of their system.
Put a giant magnetic/EMP field through all the entrances to the buildings. Anything capable of storing data will be wiped and/or fried before it makes it in.
I read this story a couple of days ago before it got slashdotted. I believe that slashdot is getting slow on the news!
I think this example makes a good case for anti-virus / anti-malware programs.
No, I will not work for your startup
*wink wink nudge nudge*
"Why?"
"IT says we got dongled, whatevthefuckthatmeans."
My apologies... I had forgotten about the Windows Metafile exploit.
...you don't know where that dongle's been.
The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.
Seriously. It really is.
... if you ever tried to get socially engineered by a little old granny with a p4c3m4k3r it will kill her! Oh, wait, thats not a bonus.
Help poke pirates in the eyepatch, arr.
Why not?
OK, maybe I'm too innocent. Normally I run Linux. Are you suggesting that Windows will automatically run executables from any random USB device that gets plugged into the computer?
If not, these people were dumb enough to run random executables. Granted, having both program-as-icon and data-file-as-icon is a very bad UI choice, but still... 15 out of 20? WTF?
If so, that Windows actually does the autorun thing... wait a second while I invent new words to describe this particular quality.
This appears to be the definitive answer (unless Microsoft is wrong about their own OS).
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
We had to do this at one of our clients. The problem wasn't USB drives, it was vendor webapps (transportation industry) that insisted on installing ActiveX controls to work. So we setup 4 Windoze PCs in an inuslated subnet to run those, and do other dangerous things.
Workers in London financial firms, which handle a lot more money than a credit union, ran CDs from total strangers on the street.
Kevin Mitnick has pointed out that an attack like this could be made virtually certain to work. Desperately ask the receptionist to let you in, just for 90 seconds, just to use the restroom, and drop a CD on the floor labeled "CONFIDENTIAL: Layoff List". Extra points if you got a copy of the company phone directory and copied some or all of it onto the CD for the finder to browse while the autorun program chugs away.
The hardware itself reports whether it is removable or not.
If you flip one of the bits, then it will auto-play just like a CD.
http://en.wikipedia.org/wiki/SCSI_Inquiry_Command
It's the "removable medium" setting.
say there is a file on the usb drive labeled "mindy underwear 001" with a thumbnail of a scantly clad woman. you'd double click it to view it right? what if that thumbnail was an icon for a clever trojan that pops up a look alike of windows' image preview. cool huh? now there's an unauthorized program scanning through your files trying to find username/password combinations. SUCKER!
i read this article last night.. i think i may start doing this for shits and giggles. the obvious blackhat way would be to steal sensitive information. i'm thinking more obnoxious things that makes people privy to security violations. maybe a few floating penises while the computer is making orgasm sounds. with a text file that explains exactly how it got installed so the user can't say "i was surfing the web and this happened". ahh, i'm loading up visual c++ now. i'll report back with results on monday!
Once again mankind is sticking things where they shouldn't be and getting infected...something that has been going on for centuries.
Because of those errors, a normal user is unable to determine that a file is an executable. A user is quite reasonable not expecting an exectuable, and there is nothing to alert him to the odd situation. All the user sees is a data file.
So now...
The first problem is fixable by hunting down a couple somewhat hidden options. What about the other problems?
would also work. Leave CD's at a newsstand with "Free Pony Pictures" on it and you have some zombie clients.
Just hand out some Sony CDs too and the whole thing can remain perfectly cloaked...
I have wondered how difficult it would be to do a DNS poisoning of the MS Update address. That could yield full control of heaps of PCs.
Oh well, what the hell...
Today's IT departments... some I have seen treat the employees as though they are retards. They are right to call some that. I don't see how some of them got their jobs. But I can't understand why more IT departments don't have security checks, and chats with the employees. Not ALL of the employees are retards, just a few of them are. Information is key, and IT departments are failing miserably everywhere sharing security tips, and rules with the employees.
As soon as you used the term "provisionings" we all knew you worked for a Fortune 500 co. Do you "connectorize" stuff, too?
My turnips listen for the soft cry of your love
In the Black Hat conference in 2005 a group introduced a few hacks to access system memory via IEE1394 (Firewire). In the Toorcon conference September 2005 an individual showed a working example of USB 2.0 being used for the same purpose. The main point of this was related to USB and Firewire being given access to system memory via DMA channels. The example shown during Toorcon was a memory dump of the computer while it was booting. Using a USB 2.0 device an attacker can modify system memory outside of the operating systems knowledge. Using a technique like this one could actually write to very low level routines on the computer without the operating system being aware of this.
If it's good enough for Diebold, Sequoia etc, it's good enough for everybody else !@#
http://www.google.com/search?q=%22Harri+Hursti%22
... I think I have an idea for a great April Fool's prank. But I need all of you to be really, really quiet about this. 'K?
.. paranoid crackpot leftover from the days of Amiga.
Reminds me of a project a few of my friends and I did over spring break back in the early 90's. Only instead of USB drives we used floppy disks. Looks like they pretty musch just took our idea into the present day. Surprising they didn't give credit to the idea to us original pioneers. Hopefelly they will respond to our emails and give proper credit where its due.
Many stores now use PCs as their cash registers. Distract the clerk, plug the USB minidrive into the checkout register or the keyboard. "What credit history?" Most small businesses use QuickBooks. Here's my "approved invoice to pay." Check's in the mail...
I will create a sig when innovation restarts in the U.S.
Please read this earlier comment, which points out that the drive itself is being relied upon to decide whether it is a "fixed" disc.
This is a security hole you could drive a truck through.
Life is too short to proofread.
Huh? What about cdroms? What about floppy disks? I think the point is, if a user finds a data disk of any format, they might try to see what is on the disk.
From man mount, Debian Etch:
noexec Do not allow direct execution of any binaries on the mounted file system. (Until recently it was possible to run binaries anyway using a command like /lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.)
There you have it. Contrast this with autorun by default on most Fortune 500 Windoze desktops.
Friends don't help friends install M$ junk.
That's also how you distribute information anonymously. I've thought about it many times, and if I were in possession of photos of the president getting head from Dick Cheney (and I am not, so don't ask me for copies :-) ) I'd just burn a few dozen CD's while wearing white gloves, a face mask, and a hair net. A little rubdown with some mild bleach solution, and I'd be in business. I'd just find places which were not under video surveillance to leave the CD's laying around. Somebody would pick the CD up and the photos would be out in public, anonymously. There's always a chance to be caught, but it's much safer than using an anonymous remailer through any IP connection from the US which can be subpoenaed and traced.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
What's ___ with____________ all _____ the__ underscores?
Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
Well, there's 15 more people for the unemployment lines. Heh heh heh.
In Linux, the icon is assigned the same way as the "start menu" text. It needs to be installed to a data file. A raw executable gets a generic icon. There just isn't any way to embed an icon into a Linux executable.
Windows actually reads an icon out of the *.exe file. This could be made to look just like an icon normally used for an image, PDF, text file, etc.
The removable media device setting is a flag contained within the SCSI Inquiry Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero indicates that the device is not a removable media device.
So, how hard do you think it would be to make a USB auto run?
But hey, the mighty Ctrl-Alt-Delete login will protect you, right?
Friends don't help friends install M$ junk.
mount(8) isn't the only way to access media, and a lot of others do not require root.
Yeah, but only root can change the fstab. Just make sure all removable media mounts noexec. This eliminates user click attacks and forces the user to actually copy and change the exec attribute of the file to run it.
Friends don't help friends install M$ junk.
Actually, you can make it autorun off of a thumb drive...windows just loves the autorun.ini [sic] file. You set them to hidden on there and the employees don't see it, but windows will run it.
Actually, you can't make it autorun off of a thumbdrive with an autorun.inf file even though that may work with a cd, because thumbdrives are considered removable storage like a hd or floppy, rather than removable media, like a cd. I know it because the company I work for had to replicate a ton of thumbdrives and we wanted to make them autorun like our cds, but there's no way to do it without changing the user's registry settings for autorunning.
A more likely scenario would be to name a file, "cute.jpg.exe" and giving it an image icon. Windows hides extensions by default, so all the user would see is a file that looks like an image with a tempting title to click on.
Alright, I've read a lot of people saying "just disable USB devices". Someone said that everything should be locked down and that training people is useless.
Disabling USB devices will not work. Even if you do it perfectly, that is, disable all storage devices but not keyboards, mice, etc. Why? Because CD-ROM drives have the exact same problem. I don't think floppy drives have any type of autorun function, but you can still put deceptive file names on them. Same problem with Email attachments.
Now, go disable email, CD-ROMs, floppies, USB devices, and memory card readers at your office/school and see how much work actually gets done.
You must either educate people, or restrict them to the point where they can't do their job in order to prevent your network from being infected. Given that the latter results in a huge loss of profit, I'd try to educate people.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Wouldn't you be suspicious if you saw a few usb drives laying around in the parking lot? It's a shame, though, this worked so well. It just goes to the ignorance of network security/policies set in a company. Or, worse, blatant disregard. They should all be fired.
That which does not kill me only postpones the inevitable.
"Beware of Geeks bearing gifts"?
I'm a software visionary. I don't code.
Evil on a USB drive: http://www.linux.com/article.pl?sid=06/04/25/19172 28
Just set Autorun to change the boot settings and run the drive formatter automatically.
The company doesn't have an application level firewall on the gateway? I think they should spend some $ doing that instead of pulling audit stunts.
Imagine years ago finding some old unlabeled old floppy disk, "hey, let's check it out!" I wonder how many folks got nailed with viruses that way over the years. In my entire computing career I got one virus, one time, and that was the reason, checking out some weird disk. learned my lesson I did.
This on-purpose gambit is a variation on the time tested "sting" operation. Want to catch "drug dealers" and users? Be a narc and set yourself up as a bigger drug dealer, they do stuff like that daily. heck, the latest canadian so called 'terrorist' cell was infiltrated with cops and they setup the chemical fertilizer buys for them, according to latest embarassing leak-age being reported.
With that said, very easy and slick social engineering. Even with this latest news tidbit, I bet you could go out tomorrow and pull off the same stunt. Want to up the ante, and really target the company or agency you want to nail, "lose" a laptop or PDA around there. You could even salt it with some nifty label on the outside "property of acme bigco or bigbrodotagency" or something like that, get some interest quick. The worker drone who found it might take it back to the shop with them, thinking a cow-orker "lost it". How about a guerilla zombiebot networking angle? Make cds with slick printed labels, assorted gamez! or triple xxx hardcore! "Lose" them by the hundreds hither and thon. People slap that disk in, nailed. You could even give them a few games or jpegs so it looked "legit" to them, they wouldn't even notice. Drop them around casually in high bucks high rent district someplace, nail the well heeled, steal CC numbers and passwords, etc. Lose disks like that where dotgov workers go to drink, you'd get some installs, humans being humans after all. Hecks a fire, I have seen some company trying this stuff with alleged "free internet minutes!" They used to mail me that stuff, AWOL or somesuch...
With the way you type, it makes your post scream "my brain is unpatched". Holy crap dude.
Ron White put it perfectly - "You can't fix stupid."
----- This is a little off-topic, but what the hell is up with the new Slashdot color scheme?! It's just downright FUGLY! Just because something is new, novel, revolutionary, or abstract DOES NOT mean that it is a good idea. Get with the program.
-----
Good morning! / Good night! (Circle one)
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Plug-n-Pwned.
This really is a no brainer. A bank or any other such institution should not need floppy, CDROM or USB devices enabled or even installed on the majority of its front of house PCs. Simple. And when I mean enabled I mean physically, ie if the PC cannot be purchased without USB sockets, disconnect them from inside the machine.
-= This is a self-referential sig =-
"Most people who work in an office do not read this website."
No, but many IT professionals do. Hopefully they educate their users to be wary of anything they dont own. It's not much different then opening an attachment from an email you receive.
This experiment also provides justification for draconian policies that disable USB on corporate machines. Regrettably, it is probably much safer and more effective to deny rather than educate. I'm sure many around here will protest such policies but there is a rationale behind them. And for environments that handle sensitive information, like a friggin bank, I hope to god that employees are prohibitted from using company machines for private purposes. Put a machine in the break room that has internet access, but no access to company resources, and let people use that machine for personal stuff.
There ARE useful usb devices, like mouses and keyboards...
This experiment demonstrates why PS/2 keyboards and mice survive. Some environments require PC/2 keyboards and mice and they do disable the USB ports.
That and Dell probably saves $0.10, those dimes add up.
Sigh...
Vista:XPSP2::ME:98SE
Truth is, if I would find a usb drive, especially in an area that I work in, I would assume that it belongs to someone who is regularly in the area, and I would plug in the usb key to read the file that would be (at least on all of mine and my friends usb drives) on there called "if found.txt" obviously containing contact information of the owner. Its quite sad that we have such malicious people in our world that are willing to go to all lengths to make the world a worse place to live in. Having recently read the blog about the guy trying to get back his friends lost (and now effectively stolen) sidekick (http://www.evanwashere.com/StolenSidekick/), I was able relate completely on the fact that I would try my best to return the lost item. This would include usb keys. Its a shame that now I would have to think twice before attempting to return someones lost property due to the security risk :-(
Fix your Dell XPS m1210 screen! -- http://m1210screenfix.blogspot.com
were THESE Trojans ribbed for YOUR pleasure?
(Sales could be enlar... umm enhanced if the handles are sufficiently reshaped. Imagine jacking it up to 52-penta-tera-throbba bytes. It won't fit in the back pocket... a backback might be sufficient...And it'll need external power load at that size...)
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Microsoft posted an article on how to disable the autorun feature from removable drives. The problem however is that it requires the drive to be installed first. Kinda pointless as it would be too late once you've connected the device for the first time.
Life is not for the lazy.
Of course you are safe. There is no such thing as bugs in applications (media players, picture viewers) that allow code embedded in unexectuable files to be executed
Fire up regedit. Search for "NoDriveTypeAutoRun". Set to 0xFF.
At least, that's what I do. I don't want Autorun on any type of drive, thank you, I'd like to decide that for myself.
When I find a USB thumb drive and plug it in to my computer and there is malware on it, the anti-virus software displays a pop-up warning and asks me to decide whether infected files should be deleted or quarantined.
If a company does not have centrally managed and updated antivirus software on the entire fleet of its computers, they do not need an audit, because there are more fundamental problems with that company!
On the whole, I certainly aggree with you, and it's certainly refreshing to see someone who doesn't fall into the "I use Linux so I'm immune to anything" trap. But I think even you underestimate it a little.
e t_user_login=admin.") There'll often be text files or spreadsheets with all the URLs, names and passwords he uses. (The geek equivalent of post-it notes.) Etc.
.smbpassword file, but there's nothing that some trivial parsing can't extract. Or just send it to me as it is, together with any readable file referenced in it. I'll do the extraction by hand.
"Now, while you are watching a cool graphics demo, it checks if you are logged in as root and, if you are, installs a nasty payload. If not, it could simply start emailing every file it finds in your home directory, or delete them, or encrypt them."
Doesn't even need root to steal passwords. There are a _ton_ of config files and startup scripts in your home directory, which a trojan can attach itself to. It can load itself in your bash window, as a plugin in your mozilla, launch an extra program in your X, replace icons on your desktop, and god knows what else. One of those will catch on to something.
E.g., if it's, say, Suse, I know that there'll be some programs -- e.g., Yast, every time you run the auto-updater -- where the system will ask for the root password first. I can just replace the link with one to program that shows an identical dialogue.
Or, yeah, transmitting every file in your home directory is indeed another great way to get a ton of info. Source files that contain the URL, account and password to the productive database are the norm, rather than the exception. Or some cutesy script that goes through the firewall to download the latest nasa pic of the day or whatnot with wget, and in the process contains the user's name and password to go through that proxy. (Let's hope he's used that password in more than one place.) Or there'll always be one idiot who exported the productive database onto his local computer, or downloaded the server configs (including all database connections, with name and password) god knows what else he's copied there. There'll often be one idiot who's built some back door because he can't be arsed to go through the IT department to have something reconfigured or to properly log in. I'll love to know about that backdoor. There'll be emails with forgotten passwords. There'll be emails where people tell each other about those backdoors. ("Oh, if you come from the intranet zone, you can bypass the stupid authenticating proxy completely. Just use http//prod.somebank.com/internalurl/some.jsp?secr
Config files outside the home directory? Those can be fun too. E.g., everyone will have access to fstab. Maybe they'll have the name and password for every single file share they use in there, or maybe it'll be offloaded to some
Log files? Now those can be a cornucopia of classified information. I've seen people even log each user's name and password at each login through their clever UserRegistry or Single Sign On module or such. If someone copied a bunch of productive logs to their machine -- or I can get the password to the machine where they are -- I might be able to login and cause mayhem as 1000 of their customers. Or go to those customers' profile pages and find out their personal data.
Etc.
"If you aren't root the damage is limited, but there is still damage."
As I was saying, even if you aren't root, the damage done can be catastrophic. The thinking that all that matters is that the OS survives, can sometimes miss the point. Yeah, some guy's Linux installation survived perfectly. But then I got access to his company's servers. Was it that much better? I'll bet that as far as the company is concerned, they would have cared less if I just wiped out one workstation's hard drive.
A polar bear is a cartesian bear after a coordinate transform.
If you have a Linux box, try this:
1. Put an executable program on a filesystem which is mounted noexec
2. Run
Phil
I guess today is a passable day to die.
While not perfect, wouldn't setting whatever anti-virus software is installed to scan the flash drive on insertion before allowing access pretty much stop this? I thought this was standard practice - or have things moved on now?
As an end-user of a corporate machine, I'm not happy that the anti-virus software on it has been locked down so far that I can't initiate a scan of files or folders or media myself. I deal with customers who need to give me large files frequently (too big for our or their email system), and I have no way of checking that the CD or flash drive handed to me is OK. IT seem to have found yet another way of shooting themselves in the foot.
People love USB drives for good reasons. They make the data personal, tangible, an object that follows physical laws that users know intuitively. To an IT person, data is just ones and zeroes in some arbitrary physical medium. But to most users, there is a big difference between that letter you wrote last week disappearing into some network ether, versus residing on a physical USB drive you can hold in your hand.
Most of the comments in this thread are of the "USB drives are a big security hole! Disable them!" variety. What a classic example of IT snobbery. A good administrator, one who understands his users, would stop to think WHY people use USB drives, and try to create a solution that balances the benefits vs. risk to the users.
Along this line of reasoning, an ideal system would be a thin client that accepts USB drives for file storage, automagically backs them up when they are used, and doesn't run any executables other than what's configured. Kind of like the old Sun smart card idea where the user has a physical, tangible ID card where his files conceptually reside.
If you want your users to respect your network security concerns, you first have to try to respect your users.
a very similar thing happened to me..
someone left a cupcake on my desk and i ate it, and then i e-mailed my bank info to a guy in Nigeria.
Anecdote: Back in 1984 (I was 14), I worked as "gopher boy" for a bank. Many times con men tried to stop me on the street when I was doing errands and pass a con. They never succeeded with me -- though some of my colleagues have fallen, and lost money (theirs and others') to those guys. I just looked at the guy and said "come on..." and went on.
It's the same:
1. if a complete stranger is offering it to you, you don't need it.
2. if you don't have word of mouth from someone you know that it's good, it probably isn't.
3. if it seems too good to be true, then it probably isn't true.
In your SIGGRAPH example, I would either: ask someone I know and trust if it vows for the integrity of the thing; decompile the thing and see if it does not do anything nasty (because I can -- and I know many can't); run it in a sandbox (likewise) with no net connection, and no access to my account on my computer (probably I would do this even if someone vowed for the cleaniness of thing just to be sure -- the fact that I'm paranoid does not mean they aren't out to get me); or NOT RUN IT AT ALL.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
If they got a hit of 15/20 usb drives, but what happened to the other 5. If they scattered them in a public place, surely other members of the public could have picked them up and could have been compromised. This would put the auditors the wrong side of the law and they had no prior agreement to pentest the general public.
I get it, this is one of those fill in the blanks games right?
... move along.
Let me try.
This is mildly interesting, but not because the__curious__ employees did anything wrong. It points out that_while_ the sysadmins have been keeping horribly unpatched_computer__ systems around that could be infected by data. And old exploits, at that.
____________Merely______________ Examining data should not lead to altering other_sensitive__ data. Still less system files. Microsoft is a__spectacularly__ crufty bugfest. Nothing more to see here
Do I win a prize?
Need we ask on what OS was this trojan so easly run?
.. would .. email the findings back to us" "Slowly but surely info was being mailed back to him"
"I had one of my guys write a Trojan that
davecb5620@gmail.com
People are definitly the weakest link...
1) Buy a crate of USB drives cheap..
2) Install images and Trojans on all of them
3) sell them on ebay one at a time.
4) Harvest the spoils.
5) Profit!
-Jason
The damage a trojan can do as a user is much worse than root. Running as root it will probably only damage the system config which can easily be recovered from original media. As a user it can damage or forward your data thats a much worse situtation; it can also impersonate you and damage your reputation.
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
And operating system should not trust external executables. By external, I mean all those executables that are not part of the installation of the machine or not explicitely labelled as "internal". The first time an external executable tried to access a resource, the operating system should block it and notify the user. If the user knows the program is harmless, then she should go and unblock the program.
If it sounds like a firewall for executables, then it's because it is a firewall for executables. It would solve the problem mentioned in the article, the problem of running illegal code from emails, etc.
Hell no, you did NOT just kick my fish!
Offtopic, but the funniest thing I've read all day.
Windows isn't the answer... it's the question. NO is the answer!
"Don't eat anything off the floor! You don't know where it's been!"
Guess the same logic applies to computers...
Autorun is a bug in itself that needs patching. Users operating with admin privs is another.
It should be totally illegal to listen to a cd on your computer at work .....
How quickly would you quit if that was the case?
The problem, Wise Guy, is that such a system doesn't exist today! So your post is useless. OTOH disabling all autorun devices is can be done today, works and will work tomorrow. Don't criticize valid solutions unless you can provide a reasonable alternative. When you've got something useful to post, come back.
This is why I keep virtual machines available on all my boxen. If I have a chunk of data (especially the executable variety) that appears to be sketchy, I load up my dummy OS and check it out. After viewing the content, whether or not it appears to have done any damage, I unmount the filesystem and revert the VM to its previous state. In the future, I'm pretty sure that very little software will run in the space that it does today. Most of the OS will be virtualized, BIOS will be replaced with EFI, and the OS kernel could quite possibly be stored in ROM. While malware will never go away entirely, in the not-so-distant future, its writers will need to spend a lot more time & effort to get the same results.
Unless they knew the version/brand/etc of the email client, writing the trojan to use the client machines existing email client would be a little on the tricky side (unless they were supplied with the info, or retrieved it via some other method), so I'm guessing that they had the trojan send the email itself.... (I'd probably write it that way to)
So does that mean that SMTP outbound was enabled on the firewall (or more to the point, not disabled)?? What other ports are open allowing unrestricted access.
Sure, the users that plugged in the keys are at fault, but a simple rule at the bottom of the firewall rules (deny all to all) and only allowing required services would have stopped this as well.
Then again, I could be wrong.
Proactively !
Beyond the issue of encrypting the data sent, how could they guarantee that only the target company would receive the thumb drives. Couldn't employees of other companies pick them up too, and then they would receive data from these other companies? Or the employees of the target company would bring them home, use them on their home machines, compromising the home machine. This gets really messy. I think that what the security people did was pretty dangerous from a legal point of view.
they'll give away their passwords for a chocolate bar.All those studies prove is that people are willing to say
If somebody offered me a chocolate bar for my password I'd tell them a fake password then take the chocolate.
No sig today...
I don't know what is worse, that the computers were misconfigured by enabling autorun on a usb drive, or that their security policies allow wide open outbound access for the data to get out.
If you hold, IIRC, shift while putting in a CD, DVD, USB drive or whathaveyou, it disables autorun.
KDE and GNOME seem to be safe regarding programs. You don't get custom icons when viewing raw binary executables. You only get the per-app icons in menus, as chosen during installation.
There is a slight problem with GNOME at least: image files are shown as thumbnails. This prevents the user from strongly associating an icon with the type of file.
Ideally, all images (PNG, JPEG, etc.) should have the same icon. All text documents (DOC, HTML, TXT, ETC.) should have the same icon. Having a small number of different icons is important to usability. Perhaps a couple dozen would be a nice total.
Certainly you are still _vulnerable_ to social engineering, but you are not AS vulnerable to this kind of social engineering attack.
1. With Windows you are apparently vulnerable just BROWSING the flash drive. Or so says many posts on here, at last. With Linux you must run an executable in there, and you are less likely to run a nonexecutable file in an exploit happy ActiveX environment (eg, IE) or similar.
2. To root your machine with Linux you ALSO need a privilege escalation attack. With Windows if you don't run as Administrator on a normal desktop you face an uphill battle of getting applications to work, because Microsoft has made little attempt to force the body of applications - even major commercial ones - to run not-as-root and even install not-as-root unless they really need root privs. Linux and OS X both do this nicely because the OS demanded it of the application developers. Without escalation the payload is always limited in what it can do to the overall OS... at a minimum you'll be able to clean the computer, which is often not feasible with Windows.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot