Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Test Prompts Federal Fraud Alert

Posted by Soulskill on from the in-the-not-so-wild dept.

itwbennett writes "Johannes Ullrich, chief research officer at the SANS Institute, took great interest in a National Credit Union Administration (NCUA) warning issued earlier this week, thinking, 'Finally this is in the wild, because I've only seen it in pen tests before.' Unfortunately for Mr. Ullrich, the letter and 2 CDs that caused the kerfuffle were part of a sanctioned security test of a bank's computer systems conducted by Ohio-based security company MicroSolved. 'It was a part of some social engineering we were doing in a fully sanctioned penetration test,' said MicroSolved CEO Brent Huston. For his part, NCUA spokesman John McKechnie did not have much to say about his organization's alert, except that 'at this point, it appears that this is an isolated event.'"

2 of 36 comments (clear)

  1. Patch subscriptions by morgan_greywolf · · Score: 5, Insightful

    The best way to pull something like this off is to create CDs that look like they are part of a patch subscription. Before the spread of ubiquitous online access, many Unix and enterprise application vendors would send patches via some package carrier (Fed Ex, UPS, USPS, etc.). Many still do. Some admins automatically install anything they get in the mail without first verifying its contents.

    --
    My blog
  2. AOL CD's??? by DevConcepts · · Score: 5, Funny

    Brain: Were going to ship AOL CD's to everyone as a "new upgrade version" that will give us full control of their computer.
    Pinky: What if they don't use AOL?
    Brain: There's 49 million sheep using AOL, it should be enough to do what we are going to do.
    Pinky: Whats that brain?
    Brain: The same thing we do every night, Try to take over the world.