Slashdot Mirror
Social Engineering Using USB Drives
Iphtashu Fitz writes "What's the easiest way to hack into the computer systems of a credit union? It turns out that all you need to do is copy a virus/trojan onto USB drives and scatter them around the front door of the credit union. This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors."
Thats an amazingly clever idea. "Hey, free stuff" is what I would think. And then plug it into my ubuntu box :)
"Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
Will have to try it...
Given autoplay and the fact that many USB keys do not need drivers, this could turn out to be a serious problem.
Why not just disable USB keys? They don't need to take that data home with them...the ChoicePoint disaster, several laptops stolen out of cars... these companies need to make are personal data more secure.
I better unplug that USB drive I found this morning.
This is going to be a hard one to stop. Humans are curious, when you find a cd, hard drive, thumb drive, the first thing your going to want to do is stick it in your computer and find out what juicy secrets are on it.
My best advice for corporations is to lock down the computers and only allow approved devices by security profile. Trying to train people not to act like people will fail.
Any better ideas other then beating the users with a stick or JB Weld in any unused ports on a computer.
I would've put autoplay Goatse on them, personally.
I remember when was a "common practice" to remove or glue floppy disks at schools...
But USB pose a different trouble. There ARE useful usb devices, like mouses and keyboards...
And further more... there are phones and digital cameras, and even thos 5 in 1 memory readers that can be used to substract information or leak viruses...
or even worse, specific purpouse programms, likt the used at the "audit"...
And also one thing I wonder, is what Antivir was "protecting" the machine? Is nt antivir doing heuristics to look after strange things at the computer, like "something" trying to get the addressbook?
Â_Â
I tried using something like this for my senior prank at school. I wanted to add a startup item that pointed to shutdown.exe on the XP systems. :)
.vbs, .bat, .exe, or even .txt files. Nothing. How could they get it to autoinstall? I know there's U3 type stuff, but that creates a fake CD Rom drive due to a CDFS partition on the flash drive itself...
I simply could NOT get anything to autorun from any type of flash drive. Autorun.inf wouldn't run
How could they get the trojan to autorun on insert? And if you're picking crap up off the ground, why wouldn't you hold shift while plugging it in if you were running Win?
You've probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets.
There you have it -- invest in fancy firewalls, make people change their passwords every 90 days, filter email from spam, phish, virii, and trojans, and then sit back and watch as your employees bypass all those lovely defenses and lay your system vulnerable.
I've said it before: there's no use building a wall, firing up the boiling oil, and digging a moat and filling it with sharks if you're going to build an 8-lane superhighway through it. Companies are trying to crack down, but the myriad ways that information can get stolen or transferred from a system are enourmous. USB drives, camera phones, MP3 players -- anything that can store data is a potential point of vulnerability, one which a company will be hard pressed to monitor or control. Couple that with this sudden rash of stolen laptops carrying unencrypted and often sensitive data, and the there's no reason for hackers to work too hard any more, when they can just have data handed to them.
GetOuttaMySpace - The Anti-Social Network
I have to admit, this had me laughing out loud! :) I do security audits often, and I know this 'attack' would work almost anywhere.
Add this to your weekly 'security' email/meeting as I have a feeling this may happen a bit more often now...
Cybie! aka Ralph Bonnell
I hear you find them in certain parking lots...
HIV Crosses Species Barrier... into Muppets
However it is simply solved by disabling the USB ports either physically or via the registery which they should have been in the first place.
Most people who work in an office do not read this website.
No, but many IT professionals do. Hopefully they educate their users to be wary of anything they dont own. It's not much different then opening an attachment from an email you receive.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Before I'd even think of something like this, I'd want signed original 8.5x11 floppies giving me explicit authorization to attack^Hevaluate systems like this.
Even then, the DHS might come after the evaluators or possession and willful use of destructive tools.
If they were running Linux the solution would be easy: disable USB Mass Storage in the kernel. USB mice and keyboards will still work, but they won't be able to read their thumb drives.
The first thing I do when I find a USB stick is to plug it in and open up documents to see who's it is. I mostly find them around campus, so a name on a paper lets me do a school directory look up. Shame to think I could get a virus from trying to help someone out, good idea and interesting application of USB sticks.
Devise, Repair, Solve, Build
The scattered 20 trojan drives around the outside and 15 get picked up by their target. Notice how the don't bother saying what happened to the other 5. Did they not get used, not get found, found by other people? And you know some of those employees took the drives home and their personal information was captured. Yes it's a cool hack but unless the trojan was coded to only execute on machines with a certain MAC address it was ethically wrong.
My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
Banks and other organizations with shared computing requiring high security should consider thin clients rather than PCs. There should be no drives on bank teller computers to transfer data either onto or off of their system.
They used to on Macs. That was one reason Macs were so vulnerable to viruses back in the eighties. Evey file could have a resources fork and the machine would load and execute the resources on any disk you inserted. As a result mac viruses were a major problem - and this was before machines were networked.
Squirrel!
*wink wink nudge nudge*
But I would have tested the thumbdrive on an isolated computer at home first and definitely not on a computer which could possibly reveal other people's sensitive information to the world.
But most people are not you. Most people would never suspect that a USB drive on the floor was an intentional vector for a spybot. They would simply think it was a lost drive with some ordinary person's files on it, and hey, wouldn't that be interesting to look at? Do you really think that if someone brought a flash drive into the house, the Typical Mom or Dad would say "Junior, before you use that, let's first plug it into the our family's quarantine PC that we don't connect to any network and see if that thing tries to phone home." Yeah, right!
The methods used by the auditors was quite well-reasoned.
"Why?"
"IT says we got dongled, whatevthefuckthatmeans."
...you don't know where that dongle's been.
The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.
People that are geeky enough to be able to
Mutant Freaks of Nature: "Frighteningly Addictive"
Seriously. It really is.
Why not?
OK, maybe I'm too innocent. Normally I run Linux. Are you suggesting that Windows will automatically run executables from any random USB device that gets plugged into the computer?
If not, these people were dumb enough to run random executables. Granted, having both program-as-icon and data-file-as-icon is a very bad UI choice, but still... 15 out of 20? WTF?
If so, that Windows actually does the autorun thing... wait a second while I invent new words to describe this particular quality.
Workers in London financial firms, which handle a lot more money than a credit union, ran CDs from total strangers on the street.
Kevin Mitnick has pointed out that an attack like this could be made virtually certain to work. Desperately ask the receptionist to let you in, just for 90 seconds, just to use the restroom, and drop a CD on the floor labeled "CONFIDENTIAL: Layoff List". Extra points if you got a copy of the company phone directory and copied some or all of it onto the CD for the finder to browse while the autorun program chugs away.
The hardware itself reports whether it is removable or not.
If you flip one of the bits, then it will auto-play just like a CD.
http://en.wikipedia.org/wiki/SCSI_Inquiry_Command
It's the "removable medium" setting.
Once again mankind is sticking things where they shouldn't be and getting infected...something that has been going on for centuries.
Believe it or not, the banks' #1 concern is not privacy of the customer's data. The #1 concern is accuracy of the data. The most important thing is that the money is where it is supposed to be. This is the reason that banks spend so much on their computer systems. Not to keep the information secret, but to keep it accurate.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Today's IT departments... some I have seen treat the employees as though they are retards. They are right to call some that. I don't see how some of them got their jobs. But I can't understand why more IT departments don't have security checks, and chats with the employees. Not ALL of the employees are retards, just a few of them are. Information is key, and IT departments are failing miserably everywhere sharing security tips, and rules with the employees.
As soon as you used the term "provisionings" we all knew you worked for a Fortune 500 co. Do you "connectorize" stuff, too?
My turnips listen for the soft cry of your love
In the Black Hat conference in 2005 a group introduced a few hacks to access system memory via IEE1394 (Firewire). In the Toorcon conference September 2005 an individual showed a working example of USB 2.0 being used for the same purpose. The main point of this was related to USB and Firewire being given access to system memory via DMA channels. The example shown during Toorcon was a memory dump of the computer while it was booting. Using a USB 2.0 device an attacker can modify system memory outside of the operating systems knowledge. Using a technique like this one could actually write to very low level routines on the computer without the operating system being aware of this.
... I think I have an idea for a great April Fool's prank. But I need all of you to be really, really quiet about this. 'K?
.. paranoid crackpot leftover from the days of Amiga.
Please read this earlier comment, which points out that the drive itself is being relied upon to decide whether it is a "fixed" disc.
This is a security hole you could drive a truck through.
Life is too short to proofread.
That's also how you distribute information anonymously. I've thought about it many times, and if I were in possession of photos of the president getting head from Dick Cheney (and I am not, so don't ask me for copies :-) ) I'd just burn a few dozen CD's while wearing white gloves, a face mask, and a hair net. A little rubdown with some mild bleach solution, and I'd be in business. I'd just find places which were not under video surveillance to leave the CD's laying around. Somebody would pick the CD up and the photos would be out in public, anonymously. There's always a chance to be caught, but it's much safer than using an anonymous remailer through any IP connection from the US which can be subpoenaed and traced.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
I belive that.. ( used to work for banks, stocks, insurance ( even more paranoid of money. ) in 70's-80's ) My problem with security is now when I'm just a user of those systems - nothing has changed or maybe gone even worse ? We solved many of these (kinds of) problems in 70's and now they pop up again ? Bad training ? Forgetting the history ? Our security checks in 75 found the computers / terminals safe ( belive me, try to break to a CICS, IMS, PATHWAY, whatever system.. ) - BUT trashcans were full of highly confidential documents - go figure? No laptops to steal but briefcases full of contracts, loan papers, investment plans, etc. were lost - no change ? Now working in homeland security - scary !! None of the financial institutions would even look these system - they would loose their money in a second but gov/state/etc.. are happy - weird again ?? On other hand - after my long carier I ( slowly ) start understanding that nobody likes easy solutions, no glory, no fame, plah. plah. plah.. So - happily collecting my decent paycheck ( and trying to tell kids, don't do that - except if you want to be rich.. )
Actually, you can make it autorun off of a thumb drive...windows just loves the autorun.ini [sic] file. You set them to hidden on there and the employees don't see it, but windows will run it.
Actually, you can't make it autorun off of a thumbdrive with an autorun.inf file even though that may work with a cd, because thumbdrives are considered removable storage like a hd or floppy, rather than removable media, like a cd. I know it because the company I work for had to replicate a ton of thumbdrives and we wanted to make them autorun like our cds, but there's no way to do it without changing the user's registry settings for autorunning.
A more likely scenario would be to name a file, "cute.jpg.exe" and giving it an image icon. Windows hides extensions by default, so all the user would see is a file that looks like an image with a tempting title to click on.
Alright, I've read a lot of people saying "just disable USB devices". Someone said that everything should be locked down and that training people is useless.
Disabling USB devices will not work. Even if you do it perfectly, that is, disable all storage devices but not keyboards, mice, etc. Why? Because CD-ROM drives have the exact same problem. I don't think floppy drives have any type of autorun function, but you can still put deceptive file names on them. Same problem with Email attachments.
Now, go disable email, CD-ROMs, floppies, USB devices, and memory card readers at your office/school and see how much work actually gets done.
You must either educate people, or restrict them to the point where they can't do their job in order to prevent your network from being infected. Given that the latter results in a huge loss of profit, I'd try to educate people.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
No, but when floppies were more common, it was also common to have PCs set up to boot from the floppy first and only boot from the hard disk if the floppy isn't there.
There was a whole genre of viruses including the Pakistani Brain virus, that take advantage of took advantage of this, plus the tendency of people to forget to take their floppy out of the PC when turning it on. They would silently run the code hidden in the boot sector, which would infect the boot sector of the HDD and ensure that every floppy inserted from then on got the virus. At some predetermined time, the virus would release its payload.
The most vulnerable machines were the ones with multiple random users (especially schools and universities), and in the days before the internet, people were far more inclined to store their files on a floppy and take it with them.
If my call is important, why am I talking to a recording?
Sorry to bust your chops further, but the correct word would've been veritable, which implies metaphor. que sera sera.
Game Overdrive - Gaming News
I don't think that's correct... Most banks I know (and, as I work for a large one in a visible role in the industry, I know quite a few) have highly reliable, transaction-safe systems for tracking customer data. Additionally, there are many, many checks in place to ensure data accuracy. There's a reason all of the top 10 U.S. banks still keep all retail banking data on mainframes - it may be an outdated, outmoded platform, but it has decades of development and history. Everything has an audit log. Everything has non-repudiation.
Security, on the other hand, is only something you can control at the system level. Measures such as mandatory information security training for all employees can help, but it's still up to each employee. As in every organization, the weakest link is people - social engineering is a risk everywhere.
In the case of the worst, either way, an accuracy problem is less of an issue than a security issue, in most cases. As I stated, transactions are logged, everything can be verified. There is financial risk in cases of most accuracy problems, but they can usually be resolved with a correction and occasionally, compensation of potential loss to the customer. In the cases of security compromise - loss of customer data, malicious modification of transactions, theft, etc. - the risks are much higher. Reputation risk, loss of customer confidence, or worse - serious instability in the country's and the world's economy. There is no tranaction log for information theft.
Please don't misunderstand me - both are very serious situations. The difference is, we can expect and avoid accuracy problem from years of experience and process. New information and computing security risks arise all the time. Banking transactions today are almost identical to what they were 25 years ago - just digital. No one even thought of USB drives with trojans on them 5 years ago.
"Adventure? Excitement? A Jedi craves not these things."
Truth is, if I would find a usb drive, especially in an area that I work in, I would assume that it belongs to someone who is regularly in the area, and I would plug in the usb key to read the file that would be (at least on all of mine and my friends usb drives) on there called "if found.txt" obviously containing contact information of the owner. Its quite sad that we have such malicious people in our world that are willing to go to all lengths to make the world a worse place to live in. Having recently read the blog about the guy trying to get back his friends lost (and now effectively stolen) sidekick (http://www.evanwashere.com/StolenSidekick/), I was able relate completely on the fact that I would try my best to return the lost item. This would include usb keys. Its a shame that now I would have to think twice before attempting to return someones lost property due to the security risk :-(
Fix your Dell XPS m1210 screen! -- http://m1210screenfix.blogspot.com
There's a reason all of the top 10 U.S. banks still keep all retail banking data on mainframes - it may be an outdated, outmoded platform, but it has decades of development and history. Everything has an audit log. Everything has non-repudiation.
That doesn't sound outmoded to me...
What they are is out of fashion to the "PC Generation" (the same people that share viruses like candy), but those are the stupid people, and there's nothing I can do about that.
"I don't know, therefore Aliens" Wafflebox1
On the whole, I certainly aggree with you, and it's certainly refreshing to see someone who doesn't fall into the "I use Linux so I'm immune to anything" trap. But I think even you underestimate it a little.
e t_user_login=admin.") There'll often be text files or spreadsheets with all the URLs, names and passwords he uses. (The geek equivalent of post-it notes.) Etc.
.smbpassword file, but there's nothing that some trivial parsing can't extract. Or just send it to me as it is, together with any readable file referenced in it. I'll do the extraction by hand.
"Now, while you are watching a cool graphics demo, it checks if you are logged in as root and, if you are, installs a nasty payload. If not, it could simply start emailing every file it finds in your home directory, or delete them, or encrypt them."
Doesn't even need root to steal passwords. There are a _ton_ of config files and startup scripts in your home directory, which a trojan can attach itself to. It can load itself in your bash window, as a plugin in your mozilla, launch an extra program in your X, replace icons on your desktop, and god knows what else. One of those will catch on to something.
E.g., if it's, say, Suse, I know that there'll be some programs -- e.g., Yast, every time you run the auto-updater -- where the system will ask for the root password first. I can just replace the link with one to program that shows an identical dialogue.
Or, yeah, transmitting every file in your home directory is indeed another great way to get a ton of info. Source files that contain the URL, account and password to the productive database are the norm, rather than the exception. Or some cutesy script that goes through the firewall to download the latest nasa pic of the day or whatnot with wget, and in the process contains the user's name and password to go through that proxy. (Let's hope he's used that password in more than one place.) Or there'll always be one idiot who exported the productive database onto his local computer, or downloaded the server configs (including all database connections, with name and password) god knows what else he's copied there. There'll often be one idiot who's built some back door because he can't be arsed to go through the IT department to have something reconfigured or to properly log in. I'll love to know about that backdoor. There'll be emails with forgotten passwords. There'll be emails where people tell each other about those backdoors. ("Oh, if you come from the intranet zone, you can bypass the stupid authenticating proxy completely. Just use http//prod.somebank.com/internalurl/some.jsp?secr
Config files outside the home directory? Those can be fun too. E.g., everyone will have access to fstab. Maybe they'll have the name and password for every single file share they use in there, or maybe it'll be offloaded to some
Log files? Now those can be a cornucopia of classified information. I've seen people even log each user's name and password at each login through their clever UserRegistry or Single Sign On module or such. If someone copied a bunch of productive logs to their machine -- or I can get the password to the machine where they are -- I might be able to login and cause mayhem as 1000 of their customers. Or go to those customers' profile pages and find out their personal data.
Etc.
"If you aren't root the damage is limited, but there is still damage."
As I was saying, even if you aren't root, the damage done can be catastrophic. The thinking that all that matters is that the OS survives, can sometimes miss the point. Yeah, some guy's Linux installation survived perfectly. But then I got access to his company's servers. Was it that much better? I'll bet that as far as the company is concerned, they would have cared less if I just wiped out one workstation's hard drive.
A polar bear is a cartesian bear after a coordinate transform.
People love USB drives for good reasons. They make the data personal, tangible, an object that follows physical laws that users know intuitively. To an IT person, data is just ones and zeroes in some arbitrary physical medium. But to most users, there is a big difference between that letter you wrote last week disappearing into some network ether, versus residing on a physical USB drive you can hold in your hand.
Most of the comments in this thread are of the "USB drives are a big security hole! Disable them!" variety. What a classic example of IT snobbery. A good administrator, one who understands his users, would stop to think WHY people use USB drives, and try to create a solution that balances the benefits vs. risk to the users.
Along this line of reasoning, an ideal system would be a thin client that accepts USB drives for file storage, automagically backs them up when they are used, and doesn't run any executables other than what's configured. Kind of like the old Sun smart card idea where the user has a physical, tangible ID card where his files conceptually reside.
If you want your users to respect your network security concerns, you first have to try to respect your users.
One of the major banks in London have an uncanny way of stopping this sort of thing. When they get their desktop boxes delivered, they fill the USB slots with epoxy resin. It's a bit hardcore, but I guess it does the trick.
If they got a hit of 15/20 usb drives, but what happened to the other 5. If they scattered them in a public place, surely other members of the public could have picked them up and could have been compromised. This would put the auditors the wrong side of the law and they had no prior agreement to pentest the general public.
the "of personal information" bit doesn't make it any less incorrect. it would just mean there was a real gold mine that also contained personal information. the grandparent might have been trying to make a funny, but it was most definitely correct.
Using the word "literal" metaphorically is like using the word "truth" falsely or the word "intelligent" stupidly.
Censorship is telling a man he can't have a steak just because a baby can't chew it. --Mark Twain
So than what exactly is a "gold mine of personal information"? Is the information etched in gold bricks? Its followed by "literal" but doesn't make sense taken literally, does it?
1) Buy a crate of USB drives cheap..
2) Install images and Trojans on all of them
3) sell them on ebay one at a time.
4) Harvest the spoils.
5) Profit!
-Jason
Tell that to the many Paypal victims...
Yeah I know. My PayPal acount has been flagged for suspicious activity three time this month already and each time I had to reset my password and re-enter all my credit card information.
Microsoft has actually had this "exectuable firewall" working for years. It's called "Software Restriction Policies", and it's been part of Windows Group Policy since XP was released.
The problem is, maintaining a list of hashes and signatures for all exectuables, DLLs, scripts, etc. in a coporate environment is a real pain in the butt. The list is constantly changing, so almost nobody uses this feature. We use it for limited end user machines, and kiosks, but it is unworkable for end-users like developers (which would still probably fall for this example of social engineering).