Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering Using USB Drives

Posted by ryuzaki0 on from the driving-right-in dept.

Iphtashu Fitz writes "What's the easiest way to hack into the computer systems of a credit union? It turns out that all you need to do is copy a virus/trojan onto USB drives and scatter them around the front door of the credit union. This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors."

2 of 447 comments (clear)

  1. Related work by Beryllium+Sphere(tm) · · Score: 5, Interesting

    Workers in London financial firms, which handle a lot more money than a credit union, ran CDs from total strangers on the street.

    Kevin Mitnick has pointed out that an attack like this could be made virtually certain to work. Desperately ask the receptionist to let you in, just for 90 seconds, just to use the restroom, and drop a CD on the floor labeled "CONFIDENTIAL: Layoff List". Extra points if you got a copy of the company phone directory and copied some or all of it onto the CD for the finder to browse while the autorun program chugs away.

  2. USB devices offers some nasty options by warlock.da.newbie · · Score: 5, Interesting

    In the Black Hat conference in 2005 a group introduced a few hacks to access system memory via IEE1394 (Firewire). In the Toorcon conference September 2005 an individual showed a working example of USB 2.0 being used for the same purpose. The main point of this was related to USB and Firewire being given access to system memory via DMA channels. The example shown during Toorcon was a memory dump of the computer while it was booting. Using a USB 2.0 device an attacker can modify system memory outside of the operating systems knowledge. Using a technique like this one could actually write to very low level routines on the computer without the operating system being aware of this.