Social Engineering, the USB Way
Those thumb drives can turn external threats into internal ones.
The folks at DarkReading recently got hired by a credit union to assess the security of its network. The client asked that they really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging their effort in the report was a way to drive the message home to the employees.
The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue drive plugging into their network. So the DarkReading guys wanted to see if they could tempt someone into plugging one into their employer's network.
In the past they had used a variety of social engineering tactics to compromise a network. Typically they would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time, they knew they'd have to do something different. Employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.
So DarkReading tried something different by baiting the same employees that were on high alert. They gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with their own special piece of software. One of their guys wrote a Trojan that, when run, would collect passwords, log-ins and machine-specific information from the user's computer, and then email the findings back.
The next hurdle was getting the USB drives in the hands of the credit union's internal users. Simply enough, they made their way to the credit union at about 6am to make sure no employees saw them. They then proceeded to scatter the drives in the parking lot, smoking areas and other areas employees frequented.
Once the drives were seeded, it was time to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desk.
Upon calling the guy who wrote the Trojan and asking if anything was received at his end, it was revealed that slowly but surely info was being mailed back to him. It would have been lovely to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, the unknowingly running the piece of software cleverly hidden away by DarkReading.
After about three days, they figured they'd collected enough data. Upon review of their findings, they were amazed at the results. Of the 20 USB drives planted, 15 were found by employees and all had been plugged into company computers. The data obtained helped to compromise additional systems, and the best part of the whole scheme was the convenience. Everything that needed to happen did, and in a way it was completely transparent to the users, the network and credit union management.
This little "giveaway" takes security loopholes a step further, working off humans' innate curiosity. Email virus writers exploit this same vulnerability, as do phishers and their clever faux websites. The credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets.
Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.
