Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Social Engineering, the USB Way
Dark Reading Risky Business ^ | Jun 7, 2006 | Steve Stasiukonis

Posted on 06/14/2006 4:17:53 PM PDT by SandRat

JUNE 7, 2006 | We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network.

In the past we had used a variety of social engineering tactics to compromise a network. Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading


TOPICS: Business/Economy; Society
KEYWORDS: convetions; engineering; freebees; social; usb; way
Well, when Trick-or-Treating at Conventions I won't be picking the free thumb drives.
1 posted on 06/14/2006 4:17:57 PM PDT by SandRat
[ Post Reply | Private Reply | View Replies]

To: SandRat

BUMP!


2 posted on 06/14/2006 4:59:44 PM PDT by Publius6961 (Multiculturalism is the white flag of a dying country)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SandRat

Training helps, but it has to keep up with the evolving
threats, and that clearly didn't happen here. Of course,
even training won't stop problems caused by deliberately
bent users.

Why are USB ports not blocked with locking mechanical plugs
on sensitive systems? Leaving them open just invites trouble.

Ditto for FDD, IR, WiFi, PCcard slots, FireWire ports, etc.
A system is way far from secure if there's an unlocked
door at least 1 bit wide on any node anywhere on the network.

Optical drives are an even more serious problem, because
there probably are legit uses for it, but it's a data
superhighway.

With the miniaturization of storage devices and digicams,
I can't imagine how Tempested sites manage the human
risks these days ...


3 posted on 06/14/2006 5:16:03 PM PDT by Boundless
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson