Slashdot Mirror
Social Engineering Using USB Drives
Iphtashu Fitz writes "What's the easiest way to hack into the computer systems of a credit union? It turns out that all you need to do is copy a virus/trojan onto USB drives and scatter them around the front door of the credit union. This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors."
Given autoplay and the fact that many USB keys do not need drivers, this could turn out to be a serious problem.
Why not just disable USB keys? They don't need to take that data home with them...the ChoicePoint disaster, several laptops stolen out of cars... these companies need to make are personal data more secure.
It could have been done on CDs, but not floppies. Autorun.inf doesn't do anything on a floppy.
The difference here, of course, is that a USB stick is something someone would be likely to keep to use themselves. A burned CD isn't nearly as appealing.
If they were running Linux the solution would be easy: disable USB Mass Storage in the kernel. USB mice and keyboards will still work, but they won't be able to read their thumb drives.
http://lastmeasure.com/
Last Measure is a wholly owned subsidiary of the Gay Nigger Association of America
The bastards at GNAA created LMOS (Last Measure OS)
http://sam.zoy.org/lmos/ No matter what depravity you can think of, the Trolls have already been there and raped that idea.
[Fuck Beta]
o0t!
That is 100% incorrect. USB drives (and ANY removable drive including usb/firewire hard drives) can be used for autorun. Most likely the reason the parent could not get it to autorun is because autorun had been turned off.
If you want a great example of autorun look at Pass2Go from the Roboform guys. It sets up autorun on the USB drive it is installed on. The Microsoft wireless network setup wizard (the one the also exports the WEP/WPA keys of an existing connection on an XP machine as plain text) also sets up a USB key to autorun the wizard.
I browse on +1 so AC's need not respond, I won't see it.
They used to on Macs. That was one reason Macs were so vulnerable to viruses back in the eighties. Evey file could have a resources fork and the machine would load and execute the resources on any disk you inserted. As a result mac viruses were a major problem - and this was before machines were networked.
Squirrel!
The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.
The hardware itself reports whether it is removable or not.
If you flip one of the bits, then it will auto-play just like a CD.
http://en.wikipedia.org/wiki/SCSI_Inquiry_Command
It's the "removable medium" setting.
Today's IT departments... some I have seen treat the employees as though they are retards. They are right to call some that. I don't see how some of them got their jobs. But I can't understand why more IT departments don't have security checks, and chats with the employees. Not ALL of the employees are retards, just a few of them are. Information is key, and IT departments are failing miserably everywhere sharing security tips, and rules with the employees.
Please read this earlier comment, which points out that the drive itself is being relied upon to decide whether it is a "fixed" disc.
This is a security hole you could drive a truck through.
Life is too short to proofread.
Actually, you can make it autorun off of a thumb drive...windows just loves the autorun.ini [sic] file. You set them to hidden on there and the employees don't see it, but windows will run it.
Actually, you can't make it autorun off of a thumbdrive with an autorun.inf file even though that may work with a cd, because thumbdrives are considered removable storage like a hd or floppy, rather than removable media, like a cd. I know it because the company I work for had to replicate a ton of thumbdrives and we wanted to make them autorun like our cds, but there's no way to do it without changing the user's registry settings for autorunning.
A more likely scenario would be to name a file, "cute.jpg.exe" and giving it an image icon. Windows hides extensions by default, so all the user would see is a file that looks like an image with a tempting title to click on.
No, but when floppies were more common, it was also common to have PCs set up to boot from the floppy first and only boot from the hard disk if the floppy isn't there.
There was a whole genre of viruses including the Pakistani Brain virus, that take advantage of took advantage of this, plus the tendency of people to forget to take their floppy out of the PC when turning it on. They would silently run the code hidden in the boot sector, which would infect the boot sector of the HDD and ensure that every floppy inserted from then on got the virus. At some predetermined time, the virus would release its payload.
The most vulnerable machines were the ones with multiple random users (especially schools and universities), and in the days before the internet, people were far more inclined to store their files on a floppy and take it with them.
If my call is important, why am I talking to a recording?