Slashdot Mirror
Social Engineering Using USB Drives
Iphtashu Fitz writes "What's the easiest way to hack into the computer systems of a credit union? It turns out that all you need to do is copy a virus/trojan onto USB drives and scatter them around the front door of the credit union. This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors."
Thats an amazingly clever idea. "Hey, free stuff" is what I would think. And then plug it into my ubuntu box :)
"Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
This is going to be a hard one to stop. Humans are curious, when you find a cd, hard drive, thumb drive, the first thing your going to want to do is stick it in your computer and find out what juicy secrets are on it.
My best advice for corporations is to lock down the computers and only allow approved devices by security profile. Trying to train people not to act like people will fail.
Any better ideas other then beating the users with a stick or JB Weld in any unused ports on a computer.
You've probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets.
There you have it -- invest in fancy firewalls, make people change their passwords every 90 days, filter email from spam, phish, virii, and trojans, and then sit back and watch as your employees bypass all those lovely defenses and lay your system vulnerable.
I've said it before: there's no use building a wall, firing up the boiling oil, and digging a moat and filling it with sharks if you're going to build an 8-lane superhighway through it. Companies are trying to crack down, but the myriad ways that information can get stolen or transferred from a system are enourmous. USB drives, camera phones, MP3 players -- anything that can store data is a potential point of vulnerability, one which a company will be hard pressed to monitor or control. Couple that with this sudden rash of stolen laptops carrying unencrypted and often sensitive data, and the there's no reason for hackers to work too hard any more, when they can just have data handed to them.
GetOuttaMySpace - The Anti-Social Network
However it is simply solved by disabling the USB ports either physically or via the registery which they should have been in the first place.
Most people who work in an office do not read this website.
No, but many IT professionals do. Hopefully they educate their users to be wary of anything they dont own. It's not much different then opening an attachment from an email you receive.
I'm a good cook. I'm a fantastic eater. - Steven Brust
So they must have had *some* sort of executable in there. User intervention is a requirement for this type attack to succeed. But given the ease with which people tend to get infected from zipped and password-protected email attachments it doesn't surprise me one bit that they ran an application in a USB thumb drive.
The vast majority of Windows machines that are infected with something or other are in that state because of the user.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Well, if you had read the article, you would know the "autorun" is not done by Windows, but by "humans' innate curiosity" about files named things like anna_kournikova.scr. In other words, they clicked on the other images preplanted on the drive, and then on the virus. Really, it's spelled out in the article, and it is clear that many never clicked through the summary, as usual.
The scattered 20 trojan drives around the outside and 15 get picked up by their target. Notice how the don't bother saying what happened to the other 5. Did they not get used, not get found, found by other people? And you know some of those employees took the drives home and their personal information was captured. Yes it's a cool hack but unless the trojan was coded to only execute on machines with a certain MAC address it was ethically wrong.
My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
Banks and other organizations with shared computing requiring high security should consider thin clients rather than PCs. There should be no drives on bank teller computers to transfer data either onto or off of their system.
But I would have tested the thumbdrive on an isolated computer at home first and definitely not on a computer which could possibly reveal other people's sensitive information to the world.
But most people are not you. Most people would never suspect that a USB drive on the floor was an intentional vector for a spybot. They would simply think it was a lost drive with some ordinary person's files on it, and hey, wouldn't that be interesting to look at? Do you really think that if someone brought a flash drive into the house, the Typical Mom or Dad would say "Junior, before you use that, let's first plug it into the our family's quarantine PC that we don't connect to any network and see if that thing tries to phone home." Yeah, right!
The methods used by the auditors was quite well-reasoned.
Once again mankind is sticking things where they shouldn't be and getting infected...something that has been going on for centuries.
Believe it or not, the banks' #1 concern is not privacy of the customer's data. The #1 concern is accuracy of the data. The most important thing is that the money is where it is supposed to be. This is the reason that banks spend so much on their computer systems. Not to keep the information secret, but to keep it accurate.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
On another note, I sure hope that company didn't send the stuff they collected unencrypted. That's a violation of a bunch of rules. Penetrating a network for a security audit shouldn't lower the overall security of the network, if they sent unecrypted that's exactly what they did though
They could have caused the data to be sent unencrypted to a test machine inside the corporate network somewhere, or directly connected to the corporate network for the purposes of the test but outside the firewalls. That would demonstrate the possibility that the data could be sent to an arbitrary machine somewhere, but without actually sending any data unencrypted over the corporate net.
Or they could have just SSHed to their remote test machine, that would probably be just as good and not that hard to implement.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
That's also how you distribute information anonymously. I've thought about it many times, and if I were in possession of photos of the president getting head from Dick Cheney (and I am not, so don't ask me for copies :-) ) I'd just burn a few dozen CD's while wearing white gloves, a face mask, and a hair net. A little rubdown with some mild bleach solution, and I'd be in business. I'd just find places which were not under video surveillance to leave the CD's laying around. Somebody would pick the CD up and the photos would be out in public, anonymously. There's always a chance to be caught, but it's much safer than using an anonymous remailer through any IP connection from the US which can be subpoenaed and traced.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Having the security method of "Run autorun file spyware.exe?" when it's told to do so by an autorun file could go a LONG way here. I hate autorun passionately - it's useful in some cases, but it's just one giant security hole most of the time. I mean, would a mere prompt be that hard to implement?
Of course this opens up a fun new possibility... bringing a USB drive to people's houses that'll have an autorun to set the browser homepage to goatse or something else equally "fun".
How are sites slashdotted when nobody reads TFAs?
Alright, I've read a lot of people saying "just disable USB devices". Someone said that everything should be locked down and that training people is useless.
Disabling USB devices will not work. Even if you do it perfectly, that is, disable all storage devices but not keyboards, mice, etc. Why? Because CD-ROM drives have the exact same problem. I don't think floppy drives have any type of autorun function, but you can still put deceptive file names on them. Same problem with Email attachments.
Now, go disable email, CD-ROMs, floppies, USB devices, and memory card readers at your office/school and see how much work actually gets done.
You must either educate people, or restrict them to the point where they can't do their job in order to prevent your network from being infected. Given that the latter results in a huge loss of profit, I'd try to educate people.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Sorry to bust your chops further, but the correct word would've been veritable, which implies metaphor. que sera sera.
Game Overdrive - Gaming News
Imagine years ago finding some old unlabeled old floppy disk, "hey, let's check it out!" I wonder how many folks got nailed with viruses that way over the years. In my entire computing career I got one virus, one time, and that was the reason, checking out some weird disk. learned my lesson I did.
This on-purpose gambit is a variation on the time tested "sting" operation. Want to catch "drug dealers" and users? Be a narc and set yourself up as a bigger drug dealer, they do stuff like that daily. heck, the latest canadian so called 'terrorist' cell was infiltrated with cops and they setup the chemical fertilizer buys for them, according to latest embarassing leak-age being reported.
With that said, very easy and slick social engineering. Even with this latest news tidbit, I bet you could go out tomorrow and pull off the same stunt. Want to up the ante, and really target the company or agency you want to nail, "lose" a laptop or PDA around there. You could even salt it with some nifty label on the outside "property of acme bigco or bigbrodotagency" or something like that, get some interest quick. The worker drone who found it might take it back to the shop with them, thinking a cow-orker "lost it". How about a guerilla zombiebot networking angle? Make cds with slick printed labels, assorted gamez! or triple xxx hardcore! "Lose" them by the hundreds hither and thon. People slap that disk in, nailed. You could even give them a few games or jpegs so it looked "legit" to them, they wouldn't even notice. Drop them around casually in high bucks high rent district someplace, nail the well heeled, steal CC numbers and passwords, etc. Lose disks like that where dotgov workers go to drink, you'd get some installs, humans being humans after all. Hecks a fire, I have seen some company trying this stuff with alleged "free internet minutes!" They used to mail me that stuff, AWOL or somesuch...
I don't think that's correct... Most banks I know (and, as I work for a large one in a visible role in the industry, I know quite a few) have highly reliable, transaction-safe systems for tracking customer data. Additionally, there are many, many checks in place to ensure data accuracy. There's a reason all of the top 10 U.S. banks still keep all retail banking data on mainframes - it may be an outdated, outmoded platform, but it has decades of development and history. Everything has an audit log. Everything has non-repudiation.
Security, on the other hand, is only something you can control at the system level. Measures such as mandatory information security training for all employees can help, but it's still up to each employee. As in every organization, the weakest link is people - social engineering is a risk everywhere.
In the case of the worst, either way, an accuracy problem is less of an issue than a security issue, in most cases. As I stated, transactions are logged, everything can be verified. There is financial risk in cases of most accuracy problems, but they can usually be resolved with a correction and occasionally, compensation of potential loss to the customer. In the cases of security compromise - loss of customer data, malicious modification of transactions, theft, etc. - the risks are much higher. Reputation risk, loss of customer confidence, or worse - serious instability in the country's and the world's economy. There is no tranaction log for information theft.
Please don't misunderstand me - both are very serious situations. The difference is, we can expect and avoid accuracy problem from years of experience and process. New information and computing security risks arise all the time. Banking transactions today are almost identical to what they were 25 years ago - just digital. No one even thought of USB drives with trojans on them 5 years ago.
"Adventure? Excitement? A Jedi craves not these things."
Reformat the USB key? The bottom line: It's a *WINDOWS* exploit. Get off of Microsoft products, and you don't have these problems. Businesses that continue to use Microsoft software are, plain and simple, asking for problems. Potentially, *MAJOR* financial problems. Stockholders should *DEMAND* that businesses stop using Microsoft products because they are a very strong potential liability.
You are being MICROattacked, from various angles, in a SOFT manner.
There's a reason all of the top 10 U.S. banks still keep all retail banking data on mainframes - it may be an outdated, outmoded platform, but it has decades of development and history. Everything has an audit log. Everything has non-repudiation.
That doesn't sound outmoded to me...
What they are is out of fashion to the "PC Generation" (the same people that share viruses like candy), but those are the stupid people, and there's nothing I can do about that.
"I don't know, therefore Aliens" Wafflebox1
People love USB drives for good reasons. They make the data personal, tangible, an object that follows physical laws that users know intuitively. To an IT person, data is just ones and zeroes in some arbitrary physical medium. But to most users, there is a big difference between that letter you wrote last week disappearing into some network ether, versus residing on a physical USB drive you can hold in your hand.
Most of the comments in this thread are of the "USB drives are a big security hole! Disable them!" variety. What a classic example of IT snobbery. A good administrator, one who understands his users, would stop to think WHY people use USB drives, and try to create a solution that balances the benefits vs. risk to the users.
Along this line of reasoning, an ideal system would be a thin client that accepts USB drives for file storage, automagically backs them up when they are used, and doesn't run any executables other than what's configured. Kind of like the old Sun smart card idea where the user has a physical, tangible ID card where his files conceptually reside.
If you want your users to respect your network security concerns, you first have to try to respect your users.
Stockholders should *DEMAND* that businesses stop using Microsoft products because they are a very strong potential liability.
Yes, because spending *HUGE* chunks of money to avoid a potential problem is what big business is all about...
People replying to my sig annoy me. That's why I change it all the time.
If they got a hit of 15/20 usb drives, but what happened to the other 5. If they scattered them in a public place, surely other members of the public could have picked them up and could have been compromised. This would put the auditors the wrong side of the law and they had no prior agreement to pentest the general public.
the "of personal information" bit doesn't make it any less incorrect. it would just mean there was a real gold mine that also contained personal information. the grandparent might have been trying to make a funny, but it was most definitely correct.
Using the word "literal" metaphorically is like using the word "truth" falsely or the word "intelligent" stupidly.
Censorship is telling a man he can't have a steak just because a baby can't chew it. --Mark Twain
So than what exactly is a "gold mine of personal information"? Is the information etched in gold bricks? Its followed by "literal" but doesn't make sense taken literally, does it?
It's sort of interesting that 15 new devices made it in the building without anyone talking about it. "Hey, look what I found" "Mine is a gig!" "Me too!". They all put it in to see what's on it probably knowing it's against the rules and did it anyway.
Thus the the counterintuitively high 'value' to a social engineer (read: con-man) of and administration PROHIBITING something that's human nature.
Everyone will do it.
Everyone knows they are not supposed to.
Because it's 'wrong', nobody will tell anyone else.
Thus even IF something is obviously wrong the inclination of the victim is to HIDE their own culpability for as long as possible, making the problem last much longer (until someone else notices) and the solution THAT much harder to implement.
(Rube: Hm. I put in that USB drive I found on the ground outside, now my computer is beeping and the hard drive is grinding away and my email is now running REALLY slowly...yikes, I'm going to get in trouble, I'll just 'disappear' the drive, call IT, and tell them something's funny with my computer."
(IT guy shows up) "Hi, what's up?"
Rube: I dunno, it just started doing that...)
[I'm against legalization, but there are strong parallels here to our Anti Drug laws, IMO.]
Logically in the case of the USB drives, a more tolerant, understanding policy that accepts human nature would be more secure. Something like - we don't mind if you install stuff from home, just get it cleared with the IS dept first.
You're still going to have rulebreakers, but if people don't think they're going to get in trouble for ANY violation, you have better conformance universally.
-Styopa