Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering Using USB Drives

Posted by ryuzaki0 on from the driving-right-in dept.

Iphtashu Fitz writes "What's the easiest way to hack into the computer systems of a credit union? It turns out that all you need to do is copy a virus/trojan onto USB drives and scatter them around the front door of the credit union. This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors."

14 of 447 comments (clear)

  1. wow by nb+caffeine · · Score: 5, Insightful

    Thats an amazingly clever idea. "Hey, free stuff" is what I would think. And then plug it into my ubuntu box :)

    --

    "Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
    1. Re:wow by Bender0x7D1 · · Score: 5, Insightful

      Unfortunately, even if you run ubuntu, you are still vulnerable - that's the beauty of social engineering.

      Sure, you might not fall for a renamed executable on a USB drive, but what if it's taken a step farther?

      Imagine you are walking into work early, and find an open folder on the floor, with some papers strewn around and a CD or DVD in with it. Imagine the paper is an application to put on a SIGGRAPH demonstration, and on the CD is a WINDOWS directory, a LINUX directory, a BSD directory and a SOLARIS directory and each directory has a file named SIGGRAPH_presentation.exe or there is a SIGGRAPH_presentation.jar, (eliminating the need for multiple OS versions), with a README about how to execute it. You figure, "What the heck - I love cool graphics."

      Now, while you are watching a cool graphics demo, it checks if you are logged in as root and, if you are, installs a nasty payload. If not, it could simply start emailing every file it finds in your home directory, or delete them, or encrypt them.

      I don't care what OS you are running, if you can be convinced to execute something, there will be some damage done. If you aren't root the damage is limited, but there is still damage. The attack may have to involve more research on a person's interests, or require more "found" hardware to convince someone, but it can be done. Maybe someone has to buy some hardware from ThinkGeek and make a fake installation disk, then leave the box, (with the modified disk), somewhere you will come across it.

      Being convinced you are immune to the dangers of social engineering is not a good way to avoid being social engineered. A healthy dose of paranoia can go far - and it's only paranoia if there isn't anyone out to get you.

      --
      Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
  2. Human curiosity kills the computer by PlusFiveTroll · · Score: 4, Insightful

    This is going to be a hard one to stop. Humans are curious, when you find a cd, hard drive, thumb drive, the first thing your going to want to do is stick it in your computer and find out what juicy secrets are on it.

    My best advice for corporations is to lock down the computers and only allow approved devices by security profile. Trying to train people not to act like people will fail.

    Any better ideas other then beating the users with a stick or JB Weld in any unused ports on a computer.

  3. Through the front door by Billosaur · · Score: 4, Insightful

    You've probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets.

    There you have it -- invest in fancy firewalls, make people change their passwords every 90 days, filter email from spam, phish, virii, and trojans, and then sit back and watch as your employees bypass all those lovely defenses and lay your system vulnerable.

    I've said it before: there's no use building a wall, firing up the boiling oil, and digging a moat and filling it with sharks if you're going to build an 8-lane superhighway through it. Companies are trying to crack down, but the myriad ways that information can get stolen or transferred from a system are enourmous. USB drives, camera phones, MP3 players -- anything that can store data is a potential point of vulnerability, one which a company will be hard pressed to monitor or control. Couple that with this sudden rash of stolen laptops carrying unencrypted and often sensitive data, and the there's no reason for hackers to work too hard any more, when they can just have data handed to them.

    --
    GetOuttaMySpace - The Anti-Social Network
  4. Re:Unfortunatly... by nitehawk214 · · Score: 4, Insightful

    Most people who work in an office do not read this website.

    No, but many IT professionals do. Hopefully they educate their users to be wary of anything they dont own. It's not much different then opening an attachment from an email you receive.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  5. And the other 5 trojan drives went where? by ChaseTec · · Score: 4, Insightful

    The scattered 20 trojan drives around the outside and 15 get picked up by their target. Notice how the don't bother saying what happened to the other 5. Did they not get used, not get found, found by other people? And you know some of those employees took the drives home and their personal information was captured. Yes it's a cool hack but unless the trojan was coded to only execute on machines with a certain MAC address it was ethically wrong.

    --
    My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
  6. Thin Clients by jabelar · · Score: 3, Insightful

    Banks and other organizations with shared computing requiring high security should consider thin clients rather than PCs. There should be no drives on bank teller computers to transfer data either onto or off of their system.

  7. Age old problem... by elderban99 · · Score: 4, Insightful

    Once again mankind is sticking things where they shouldn't be and getting infected...something that has been going on for centuries.

  8. Re:Pretty scary. by CastrTroy · · Score: 5, Insightful

    Believe it or not, the banks' #1 concern is not privacy of the customer's data. The #1 concern is accuracy of the data. The most important thing is that the money is where it is supposed to be. This is the reason that banks spend so much on their computer systems. Not to keep the information secret, but to keep it accurate.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  9. Don't disable anything by Mr.+Freeman · · Score: 4, Insightful

    Alright, I've read a lot of people saying "just disable USB devices". Someone said that everything should be locked down and that training people is useless.

    Disabling USB devices will not work. Even if you do it perfectly, that is, disable all storage devices but not keyboards, mice, etc. Why? Because CD-ROM drives have the exact same problem. I don't think floppy drives have any type of autorun function, but you can still put deceptive file names on them. Same problem with Email attachments.

    Now, go disable email, CD-ROMs, floppies, USB devices, and memory card readers at your office/school and see how much work actually gets done.

    You must either educate people, or restrict them to the point where they can't do their job in order to prevent your network from being infected. Given that the latter results in a huge loss of profit, I'd try to educate people.

    --
    -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
    1. Re:Don't disable anything by realmolo · · Score: 4, Insightful

      Unless they need to use the CDROM drive, floppy drive, USB devices, or memory cards to DO THEIR JOB, then they SHOULD be disabled.

      The fact is, in a business setting, the machines should be completely locked down so that users can do ONLY what they need to do, and nothing else.

      Of course, politics tend to prevent that from happening. But it is proper "procedure".

  10. Re:Pretty scary. by Dorothy+86 · · Score: 3, Insightful

    Sorry to bust your chops further, but the correct word would've been veritable, which implies metaphor. que sera sera.

    --
    Game Overdrive - Gaming News
  11. Disabling USB drives is missing the point by InakaBoyJoe · · Score: 5, Insightful

    People love USB drives for good reasons. They make the data personal, tangible, an object that follows physical laws that users know intuitively. To an IT person, data is just ones and zeroes in some arbitrary physical medium. But to most users, there is a big difference between that letter you wrote last week disappearing into some network ether, versus residing on a physical USB drive you can hold in your hand.

    Most of the comments in this thread are of the "USB drives are a big security hole! Disable them!" variety. What a classic example of IT snobbery. A good administrator, one who understands his users, would stop to think WHY people use USB drives, and try to create a solution that balances the benefits vs. risk to the users.

    Along this line of reasoning, an ideal system would be a thin client that accepts USB drives for file storage, automagically backs them up when they are used, and doesn't run any executables other than what's configured. Kind of like the old Sun smart card idea where the user has a physical, tangible ID card where his files conceptually reside.

    If you want your users to respect your network security concerns, you first have to try to respect your users.

  12. Did the Auditors break the law by HerebeDragon · · Score: 3, Insightful

    If they got a hit of 15/20 usb drives, but what happened to the other 5. If they scattered them in a public place, surely other members of the public could have picked them up and could have been compromised. This would put the auditors the wrong side of the law and they had no prior agreement to pentest the general public.