http://www.darkreading.com/document.asp
?doc_id=95556&WT.svl=column1_1
By Steve Stasiukonis
JUNE 7, 2006
We recently got hired by a credit union to assess the
security of its
network. The client asked that we really push hard on the
social
engineering button. In the past, they'd had problems with
employees
sharing passwords and giving up information easily.
Leveraging our
effort in the report was a way to drive the message home to
the
employees.
The client also indicated that USB drives were a concern,
since they
were an easy way for employees to steal information, as well
as bring
in potential vulnerabilities such as viruses and Trojans.
Several
other clients have raised the same concern, yet few have
done much to
protect themselves from a rogue USB drive plugging into
their network.
I wanted to see if we could tempt someone into plugging one
into their
employer's network.
In the past we had used a variety of social engineering
tactics to
compromise a network. Typically we would hang out with the
smokers,
sweet-talk a receptionist, or commandeer a meeting room and
jack into
the network. This time I knew we had to do something
different. We
heard that employees were talking within the credit union
and were
telling each other that somebody was going to test the
security of the
network, including the people element.
We figured we would try something different by baiting the
same
employees that were on high alert. We gathered all the
worthless
vendor giveaway thumb drives collected over the years and
imprinted
them with our own special piece of software. I had one of my
guys
write a Trojan that, when run, would collect passwords,
logins and
machine-specific information from the user's computer, and
then email
the findings back to us.
The next hurdle we had was getting the USB drives in the
hands of the
credit union's internal users. I made my way to the credit
union at
about 6 a.m. to make sure no employees saw us. I then
proceeded to
scatter the drives in the parking lot, smoking areas, and
other areas
employees frequented.
Once I seeded the USB drives, I decided to grab some coffee
and watch
the employees show up for work. Surveillance of the facility
was worth
the time involved. It was really amusing to watch the
reaction of the
employees who found a USB drive. You know they plugged them
into their
computers the minute they got to their desks.
I immediately called my guy that wrote the Trojan and asked
if
anything was received at his end. Slowly but surely info was
being
mailed back to him. I would have loved to be on the inside
of the
building watching as people started plugging the USB drives
in,
scouring through the planted image files, then unknowingly
running our
piece of software.
After about three days, we figured we had collected enough
data. When
I started to review our findings, I was amazed at the
results. Of the
20 USB drives we planted, 15 were found by employees, and
all had been
plugged into company computers. The data we obtained helped
us to
compromise additional systems, and the best part of the
whole scheme
was its convenience. We never broke a sweat. Everything that
needed to
happen did, and in a way it was completely transparent to
the users,
the network, and credit union management.
Of all the social engineering efforts we have performed over
the
years, I always had to worry about being caught, getting
detained by
the police, or not getting anything of value. The USB route
is really
the way to go. With the exception of possibly getting caught
when
seeding the facility, my chances of having a problem are
reduced
significantly.
You've probably seen the experiments where users can be
conned into
giving up their passwords for a chocolate bar or a $1 bill.
But this
little giveaway took those a step further, working off
humans' innate
curiosity. Emailed virus writers exploit this same
vulnerability, as
do phishers and their clever faux Websites. Our credit union
client
wasn't unique or special. All the technology and filtering
and
scanning in the world won't address human nature. But it
remains the
single biggest open door to any company's secrets.
Disagree? Sprinkle your receptionist's candy dish with USB
drives and
see for yourself how long it takes for human nature to
manifest
itself.
- Steve Stasiukonis is VP and founder of Secure Network
Technologies Inc.
Special to Dark Reading
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|