Social Engineering, the USB way

Here’s an interesting (even though old) article about a somewhat different (and fun) approach to Social Engineering:

We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they’d had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer’s network.

In the past we had used a variety of social engineering tactics to compromise a network. Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans’ innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist’s candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc

2007
06/05
CATEGORY
Fun
Interesting facts
Security
16 comments

  • Pingback: engineering » Blog Archive » Framing the World: Social Engineering the Conventi…

  • http://www.cristiv.com Chris

    From all this it’s clear that if the company had installed Windows Vista on all workstations and disabled USB flash drivers from the Group Policy, everything would have been ok. Deploy Windows Vista Today! :lol:

  • EpsDel

    I think this suffices on XP too:

    http://support.microsoft.com/kb/823732

    I really like this:

    Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system.

  • http://www.tudy.ro Tudy

    Still, disabling USB storage drives through the new Windows Vista Group Policies is way faster and more efficient than manually editing the registry on all the machines.

  • EpsDel

    All in all, it’s not a good enough reason to switch to Vista.

    Upgrade to Windows Vista Today :!: Because you don’t want to edit the Registry. Yey!

    And we’ve reached the end of our marketing session for today, kids.

    Yours truly, EpsDel.

  • http://www.tudy.ro Tudy

    It’s not like that’s the only new feature in Vista… :roll:

  • ILUsion

    Well, explain to me then, that at my university USB drivers are disabled by default on XP machines. This isn’t something Vista has to offer; one can easily change the registry of whole corporate networks with little effort. The only new thing that Vista includes is this feature right in the Policy Editor (which isn’t usefull in small offices, as you have to set it manually on each desktop or on a dedicated server; but registry changes can be done by just writing a reg file and running it on each computer).

    Also, I think Vista has to many shortcomings; a good effort on security, but way too bloated if you ask me. (Also, if you think on switching to vista for this tiny feature, why don’t you consider switching to Linux or Mac OS, as Windows would be the only OS infected by these viruses). And let’s just face the truth, it’s quite hard to get a Windows installation safe. I’ve only seen safe Windows installations in large companies or at universities; all small companies or homes have a Windows installation that ends up being bloated with spyware. The reason for this: large companies can afford system administrators who can monitor the security and close most open doors.

  • David

    It’s easy enough to write your own Group Policy Administrative templates. Any System Administrator should be able to figure out how to disable USB drives on an XP system within half a day.
    I used to write my own in Notepad all the time when I was a System Administrator.

  • http://www.tudy.ro Tudy

    Well, apparently it wasn’t that easy for the guys at the company in the story… :roll:

  • IT_Girl

    Even if you’re not as savy as others in being able to write your own code, you’re given this option to do it network-wide with the click of a button. I worked at a company who took this very seriously, and after suggesting this, took steps to use it.

    http://www.intelliadmin.com/Downloads.htm

  • http://www.tudy.ro Tudy

    Cool link, thanks! :)

  • IMReader

    I don’t think the way to attack this would be to disable USB drivers. That just adds too much hassle for people to use legitimate drives without trojans. I think the best way to fix the problem would be to train the employees better in IA.

  • John

    :roll: For the people who say switch to vista becasue this is too much work. you can set te same basic program on the flash drive used to simply edit the regesty on all of the computers hooked to the network, and have it save it’s self withing the system, so that if a new computer enters the network, it will apply it to them. also, they could have made this real nasty, you can probably embed a worm into there so that every time it interacts with another computer, it would re run on the new one. while this would be allot more obvious, being a much larger file, and also it would have to clear firewalls, if it could be pulled off, even a portion of it before detection, it would be gold.

  • http://www.spamify.com/ Brian

    Haha, only a moron would upgrade to Vista right now. At least wait until they release ServiceHack 1. =)

  • micah

    … thumb drives are not a bad thing. i’m no it guy, but disabling the use of all thumb drives?? seems silly. i really wanted to do extra work at home, off the clock and outside the office. guess i can’t get these files home with me. too bad.

  • have they tried linux?

    this is a good reason not to use windows, running under admin privilages all the time isn’t smart and vista doesn’t handle reduced accounts very well either. linux/mac however, run nicely under a reduced user account and each user can have limits imposed on what they can do. that way, people can read what is on the usb [images] without easily running the trojan [i'm sure there are clever ones but that is rare] even better is because linux is opensource/GPL-ed they can modify it to their liking

  • Pingback: engineering » Blog Archive » Public policy and social engineering are different…

  • Anonymous Coward

    I have a much better way to disable USB ports on a computer. Buy some glue, and fill each USB port. Or, if you’re feeling lucky, drill away/break off the plastic part with the metal contacts inside the port. Much more secure! :razz:

  • Pingback: engineering » Blog Archive » Dangerous document formats and social engineering, (Wed, Mar 28th)