Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering Using USB Drives

Posted by ryuzaki0 on from the driving-right-in dept.

Iphtashu Fitz writes "What's the easiest way to hack into the computer systems of a credit union? It turns out that all you need to do is copy a virus/trojan onto USB drives and scatter them around the front door of the credit union. This was how a recent security audit was performed at a credit union where the employees had actually been tipped off to the audit. Security experts collected 20 old USB thumb drives and filled them with images and other data along with a trojan that would collect sensitive information and e-mail it back to them. Early one morning they planted the thumb drives around the entrances to the credit union as well as other public places where the employees were known to congregate. In very little time 15 of the 20 USB drives were plugged into company computer systems and started e-mailing usernames, passwords, etc. back to the auditors."

15 of 447 comments (clear)

  1. wow by nb+caffeine · · Score: 5, Insightful

    Thats an amazingly clever idea. "Hey, free stuff" is what I would think. And then plug it into my ubuntu box :)

    --

    "Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
    1. Re:wow by Bender0x7D1 · · Score: 5, Insightful

      Unfortunately, even if you run ubuntu, you are still vulnerable - that's the beauty of social engineering.

      Sure, you might not fall for a renamed executable on a USB drive, but what if it's taken a step farther?

      Imagine you are walking into work early, and find an open folder on the floor, with some papers strewn around and a CD or DVD in with it. Imagine the paper is an application to put on a SIGGRAPH demonstration, and on the CD is a WINDOWS directory, a LINUX directory, a BSD directory and a SOLARIS directory and each directory has a file named SIGGRAPH_presentation.exe or there is a SIGGRAPH_presentation.jar, (eliminating the need for multiple OS versions), with a README about how to execute it. You figure, "What the heck - I love cool graphics."

      Now, while you are watching a cool graphics demo, it checks if you are logged in as root and, if you are, installs a nasty payload. If not, it could simply start emailing every file it finds in your home directory, or delete them, or encrypt them.

      I don't care what OS you are running, if you can be convinced to execute something, there will be some damage done. If you aren't root the damage is limited, but there is still damage. The attack may have to involve more research on a person's interests, or require more "found" hardware to convince someone, but it can be done. Maybe someone has to buy some hardware from ThinkGeek and make a fake installation disk, then leave the box, (with the modified disk), somewhere you will come across it.

      Being convinced you are immune to the dangers of social engineering is not a good way to avoid being social engineered. A healthy dose of paranoia can go far - and it's only paranoia if there isn't anyone out to get you.

      --
      Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
    2. Re:wow by DeadChobi · · Score: 5, Funny

      Speaking of paranoia, someone left a disc labeled "THE TRUTH" on my car the other day. I wonder what I did with it? Oh yeah. I tossed it. If some wanker wants to tell me "THE TRUTH" then they can do it the old fashioned way, with pamphlets.

      I find it a little odd that mine was the only car in the parking lot with such a CD on it. Maybe I shoul@(*$)*@#%^Y@Ba;skONBIAEOSNA NO CARRIER

      --
      SRSLY.
  2. Oh crap!!! by rvw14 · · Score: 5, Funny

    I better unplug that USB drive I found this morning.

    1. Re:Oh crap!!! by CortoMaltese · · Score: 5, Funny
      I better unplug that USB drive I found this morning.
      Yeah, the trojan has been posting score:5, funny comments as you all over the place.
  3. Autoplay trojan? by Ant+P. · · Score: 5, Funny

    I would've put autoplay Goatse on them, personally.

  4. "Yeah man, we had the day off today..." by spentrent · · Score: 5, Funny

    "Why?"

    "IT says we got dongled, whatevthefuckthatmeans."

  5. The word from Microsoft on autorun for nerdsticks by Beryllium+Sphere(tm) · · Score: 5, Informative

    The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.

  6. Re:Pfft.... by Vraylle · · Score: 5, Funny
    "Just edit /etc/fstab to not allow normal users to do any mounting..."


    People that are geeky enough to be able to /etc/fstab a Linux system probably aren't doing much mounting either.

    --
    Mutant Freaks of Nature: "Frighteningly Addictive"
  7. Related work by Beryllium+Sphere(tm) · · Score: 5, Interesting

    Workers in London financial firms, which handle a lot more money than a credit union, ran CDs from total strangers on the street.

    Kevin Mitnick has pointed out that an attack like this could be made virtually certain to work. Desperately ask the receptionist to let you in, just for 90 seconds, just to use the restroom, and drop a CD on the floor labeled "CONFIDENTIAL: Layoff List". Extra points if you got a copy of the company phone directory and copied some or all of it onto the CD for the finder to browse while the autorun program chugs away.

  8. You have to hack the USB drive itself. by khasim · · Score: 5, Informative

    The hardware itself reports whether it is removable or not.

    If you flip one of the bits, then it will auto-play just like a CD.

    http://en.wikipedia.org/wiki/SCSI_Inquiry_Command

    It's the "removable medium" setting.

  9. Re:Pretty scary. by CastrTroy · · Score: 5, Insightful

    Believe it or not, the banks' #1 concern is not privacy of the customer's data. The #1 concern is accuracy of the data. The most important thing is that the money is where it is supposed to be. This is the reason that banks spend so much on their computer systems. Not to keep the information secret, but to keep it accurate.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  10. USB devices offers some nasty options by warlock.da.newbie · · Score: 5, Interesting

    In the Black Hat conference in 2005 a group introduced a few hacks to access system memory via IEE1394 (Firewire). In the Toorcon conference September 2005 an individual showed a working example of USB 2.0 being used for the same purpose. The main point of this was related to USB and Firewire being given access to system memory via DMA channels. The example shown during Toorcon was a memory dump of the computer while it was booting. Using a USB 2.0 device an attacker can modify system memory outside of the operating systems knowledge. Using a technique like this one could actually write to very low level routines on the computer without the operating system being aware of this.

  11. Re:autorun.inf doesn't work by Slayback · · Score: 5, Informative

    Windows XP SP2 changed this behavior and will use the autorun.inf file to autorun. I use this everyday to have Truecrypt automatically pop up to mount my encrypted volume on my USB drive.

  12. Disabling USB drives is missing the point by InakaBoyJoe · · Score: 5, Insightful

    People love USB drives for good reasons. They make the data personal, tangible, an object that follows physical laws that users know intuitively. To an IT person, data is just ones and zeroes in some arbitrary physical medium. But to most users, there is a big difference between that letter you wrote last week disappearing into some network ether, versus residing on a physical USB drive you can hold in your hand.

    Most of the comments in this thread are of the "USB drives are a big security hole! Disable them!" variety. What a classic example of IT snobbery. A good administrator, one who understands his users, would stop to think WHY people use USB drives, and try to create a solution that balances the benefits vs. risk to the users.

    Along this line of reasoning, an ideal system would be a thin client that accepts USB drives for file storage, automagically backs them up when they are used, and doesn't run any executables other than what's configured. Kind of like the old Sun smart card idea where the user has a physical, tangible ID card where his files conceptually reside.

    If you want your users to respect your network security concerns, you first have to try to respect your users.