Social Engineering, the USB Way - PBX Info :: Your Free PBX, PABX and Telephone Information Resource

**rixride** · 06-09-2006, 10:18 AM

Interesting Read:

Social Engineering, the USB Way

JUNE 7, 2006 | We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.
The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network.
In the past we had used a variety of social engineering tactics to compromise a network. Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.
We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.
The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.
I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.
After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.
Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.
You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.
Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

Filou · 07-26-2006, 04:44 PM

Just out of curiosity, did the company in question had any anti-trojan (or anti-something else) software deployed on its computers? If not, do you think this kind of software could have in some way blocked or limited the reach of your plan? If they had this kind of software deployed, did you analyze why it didn't detect/blocked your trojan? Did you conclude that a better software would have?

That's interesting because what has changed is the social part of the problem: people are less suspecting when they find an USB thumb drive than if they found a floppy or a CD (and they somehow imagine an USB drive could contain more interesting things than a floppy or CD), but the technological problem is still the same: it's still a matter of detecting and blocking harmful files, whether they come from the Internet or from removable storage of any kind.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
- How can I receive SMDR messages from PBX Panasonic KX-TDA 100 through USB?	TORYAL	Panasonic	14	05-30-2007 10:29 PM
- How can I receive SMDR messages from PBX Panasonic KX-TDA 100 through USB?	TORYAL	Panasonic	2	03-29-2006 02:15 PM
Canada's latest social program	Java_Bob	Off Topic - Humor/Jokes	16	01-05-2006 09:35 AM
talk about an engineering feat	Java_Bob	Off Topic - Humor/Jokes	7	10-28-2005 08:31 PM
ah German engineering	Java_Bob	Off Topic - Humor/Jokes	7	10-06-2005 10:59 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)