Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering Using USB Drives

Posted by ryuzaki0 on from the driving-right-in dept.

Iphtashu Fitz writes "What's the easiest way to hack into the computer systems of a credit union? It turns out that all you need to do is copy a virus/trojan onto USB drives and scatter them around the front door of the credit union. This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors."

15 of 447 comments (clear)

  1. Close those ports. by bubulubugoth · · Score: 3, Interesting

    I remember when was a "common practice" to remove or glue floppy disks at schools...

    But USB pose a different trouble. There ARE useful usb devices, like mouses and keyboards...

    And further more... there are phones and digital cameras, and even thos 5 in 1 memory readers that can be used to substract information or leak viruses...

    or even worse, specific purpouse programms, likt the used at the "audit"...

    And also one thing I wonder, is what Antivir was "protecting" the machine? Is nt antivir doing heuristics to look after strange things at the computer, like "something" trying to get the addressbook?

    --
    Â_Â
  2. But.. How? by Anonymous Coward · · Score: 3, Interesting

    I tried using something like this for my senior prank at school. I wanted to add a startup item that pointed to shutdown.exe on the XP systems. :)

    I simply could NOT get anything to autorun from any type of flash drive. Autorun.inf wouldn't run .vbs, .bat, .exe, or even .txt files. Nothing. How could they get it to autoinstall? I know there's U3 type stuff, but that creates a fake CD Rom drive due to a CDFS partition on the flash drive itself...

    How could they get the trojan to autorun on insert? And if you're picking crap up off the ground, why wouldn't you hold shift while plugging it in if you were running Win?

  3. Smart idea!! by Cybersonic · · Score: 4, Interesting

    I have to admit, this had me laughing out loud! :) I do security audits often, and I know this 'attack' would work almost anywhere.

    Add this to your weekly 'security' email/meeting as I have a feeling this may happen a bit more often now...

    --
    Cybie! aka Ralph Bonnell
  4. Re:It's definitely a problem... by jafiwam · · Score: 4, Interesting

    Per the autopay dis-abler function in the group policy in windows, all removable drives aside from optical disks (DVD/CDROM) have autoplay disabled by default.

    They didn't use autoplay, they used an enticing file name on an executable. (My wife Pics.exe (with a zip icon) would do it.)

    It's sort of interesting that 15 new devices made it in the building without anyone talking about it. "Hey, look what I found" "Mine is a gig!" "Me too!". They all put it in to see what's on it probably knowing it's against the rules and did it anyway.

    It's not ignorance, its "i think i can get away with it."

    I wish I could find thumb drives in the parking lot.

    On another note, I sure hope that company didn't send the stuff they collected unencrypted. That's a violation of a bunch of rules. Penetrating a network for a security audit shouldn't lower the overall security of the network, if they sent unecrypted that's exactly what they did though.

  5. Re:Nice socal engineering. by Anonymous Coward · · Score: 1, Interesting

    Except that many new machines (especially Dells) have no legacy keyboard/mice ports on them. So disabling USB renders the computer useless.

  6. Black Hat Hazards! by redelm · · Score: 2, Interesting
    Wasn't some dude prosecuted for doing Black Hat ops, even though he was hired specifically to evaluate security?

    Before I'd even think of something like this, I'd want signed original 8.5x11 floppies giving me explicit authorization to attack^Hevaluate systems like this.

    Even then, the DHS might come after the evaluators or possession and willful use of destructive tools.

  7. Re:Nice socal engineering. by FirstTimeCaller · · Score: 4, Interesting

    At WinHec this year, Microsoft reported that many companies were using glue guns(!) to secure their networks against USB drives. They then went on to claim that Vista will make this unnecessary (as well as curing world hunger and making you look thin in those pants...)

    --
    Wanted: witty unique signature. Must be willing to relocate.
  8. Interesting Idea by vandalman · · Score: 2, Interesting

    The first thing I do when I find a USB stick is to plug it in and open up documents to see who's it is. I mostly find them around campus, so a name on a paper lets me do a school directory look up. Shame to think I could get a virus from trying to help someone out, good idea and interesting application of USB sticks.

    --
    Devise, Repair, Solve, Build
  9. Pretty scary. by mlow82 · · Score: 1, Interesting

    It's pretty scary how the thumbdrives were plugged into company computer systems. You'd think the employees would know better. They work at a credit union, a literal gold mine of personal information that should be carefully guarded. I admit I would have had the same reaction as the parent and would have instantly jumped at the opportunity for free flash memory. But I would have tested the thumbdrive on an isolated computer at home first and definitely not on a computer which could possibly reveal other people's sensitive information to the world.

    1. Re:Pretty scary. by tuomoks · · Score: 3, Interesting

      I belive that.. ( used to work for banks, stocks, insurance ( even more paranoid of money. ) in 70's-80's ) My problem with security is now when I'm just a user of those systems - nothing has changed or maybe gone even worse ? We solved many of these (kinds of) problems in 70's and now they pop up again ? Bad training ? Forgetting the history ? Our security checks in 75 found the computers / terminals safe ( belive me, try to break to a CICS, IMS, PATHWAY, whatever system.. ) - BUT trashcans were full of highly confidential documents - go figure? No laptops to steal but briefcases full of contracts, loan papers, investment plans, etc. were lost - no change ? Now working in homeland security - scary !! None of the financial institutions would even look these system - they would loose their money in a second but gov/state/etc.. are happy - weird again ?? On other hand - after my long carier I ( slowly ) start understanding that nobody likes easy solutions, no glory, no fame, plah. plah. plah.. So - happily collecting my decent paycheck ( and trying to tell kids, don't do that - except if you want to be rich.. )

    2. Re:Pretty scary. by Dal+Platinum · · Score: 2, Interesting

      One of the major banks in London have an uncanny way of stopping this sort of thing. When they get their desktop boxes delivered, they fill the USB slots with epoxy resin. It's a bit hardcore, but I guess it does the trick.

  10. I'd plug it in. by r00t · · Score: 3, Interesting

    Why not?

    OK, maybe I'm too innocent. Normally I run Linux. Are you suggesting that Windows will automatically run executables from any random USB device that gets plugged into the computer?

    If not, these people were dumb enough to run random executables. Granted, having both program-as-icon and data-file-as-icon is a very bad UI choice, but still... 15 out of 20? WTF?

    If so, that Windows actually does the autorun thing... wait a second while I invent new words to describe this particular quality.

  11. Related work by Beryllium+Sphere(tm) · · Score: 5, Interesting

    Workers in London financial firms, which handle a lot more money than a credit union, ran CDs from total strangers on the street.

    Kevin Mitnick has pointed out that an attack like this could be made virtually certain to work. Desperately ask the receptionist to let you in, just for 90 seconds, just to use the restroom, and drop a CD on the floor labeled "CONFIDENTIAL: Layoff List". Extra points if you got a copy of the company phone directory and copied some or all of it onto the CD for the finder to browse while the autorun program chugs away.

  12. USB devices offers some nasty options by warlock.da.newbie · · Score: 5, Interesting

    In the Black Hat conference in 2005 a group introduced a few hacks to access system memory via IEE1394 (Firewire). In the Toorcon conference September 2005 an individual showed a working example of USB 2.0 being used for the same purpose. The main point of this was related to USB and Firewire being given access to system memory via DMA channels. The example shown during Toorcon was a memory dump of the computer while it was booting. Using a USB 2.0 device an attacker can modify system memory outside of the operating systems knowledge. Using a technique like this one could actually write to very low level routines on the computer without the operating system being aware of this.

  13. Doesn't even need root by Moraelin · · Score: 4, Interesting

    On the whole, I certainly aggree with you, and it's certainly refreshing to see someone who doesn't fall into the "I use Linux so I'm immune to anything" trap. But I think even you underestimate it a little.

    "Now, while you are watching a cool graphics demo, it checks if you are logged in as root and, if you are, installs a nasty payload. If not, it could simply start emailing every file it finds in your home directory, or delete them, or encrypt them."

    Doesn't even need root to steal passwords. There are a _ton_ of config files and startup scripts in your home directory, which a trojan can attach itself to. It can load itself in your bash window, as a plugin in your mozilla, launch an extra program in your X, replace icons on your desktop, and god knows what else. One of those will catch on to something.

    E.g., if it's, say, Suse, I know that there'll be some programs -- e.g., Yast, every time you run the auto-updater -- where the system will ask for the root password first. I can just replace the link with one to program that shows an identical dialogue.

    Or, yeah, transmitting every file in your home directory is indeed another great way to get a ton of info. Source files that contain the URL, account and password to the productive database are the norm, rather than the exception. Or some cutesy script that goes through the firewall to download the latest nasa pic of the day or whatnot with wget, and in the process contains the user's name and password to go through that proxy. (Let's hope he's used that password in more than one place.) Or there'll always be one idiot who exported the productive database onto his local computer, or downloaded the server configs (including all database connections, with name and password) god knows what else he's copied there. There'll often be one idiot who's built some back door because he can't be arsed to go through the IT department to have something reconfigured or to properly log in. I'll love to know about that backdoor. There'll be emails with forgotten passwords. There'll be emails where people tell each other about those backdoors. ("Oh, if you come from the intranet zone, you can bypass the stupid authenticating proxy completely. Just use http//prod.somebank.com/internalurl/some.jsp?secre t_user_login=admin.") There'll often be text files or spreadsheets with all the URLs, names and passwords he uses. (The geek equivalent of post-it notes.) Etc.

    Config files outside the home directory? Those can be fun too. E.g., everyone will have access to fstab. Maybe they'll have the name and password for every single file share they use in there, or maybe it'll be offloaded to some .smbpassword file, but there's nothing that some trivial parsing can't extract. Or just send it to me as it is, together with any readable file referenced in it. I'll do the extraction by hand.

    Log files? Now those can be a cornucopia of classified information. I've seen people even log each user's name and password at each login through their clever UserRegistry or Single Sign On module or such. If someone copied a bunch of productive logs to their machine -- or I can get the password to the machine where they are -- I might be able to login and cause mayhem as 1000 of their customers. Or go to those customers' profile pages and find out their personal data.

    Etc.

    "If you aren't root the damage is limited, but there is still damage."

    As I was saying, even if you aren't root, the damage done can be catastrophic. The thinking that all that matters is that the OS survives, can sometimes miss the point. Yeah, some guy's Linux installation survived perfectly. But then I got access to his company's servers. Was it that much better? I'll bet that as far as the company is concerned, they would have cared less if I just wiped out one workstation's hard drive.

    --
    A polar bear is a cartesian bear after a coordinate transform.