Social Engineering, the USB Way

www.darkreading.com

We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they’d had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans.

[…]

We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

[…]

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience.

[…]

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans’ innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist’s candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

The reason I post this particular article is that I was chatting recently with JP Rangaswami, the CIO of DrKW (aka: Dresdner Kleinwort Wasserstein) about the very same human nature which is cited in this article.

As written, the article will probably cause more of the reflex I have seen in some City institutions which try to ban iPods, USB sticks and the like, from trading floors and other sensitive environments.

That won’t work – as JP approximately put it, if you want [me] to do that, you’ll need to give me the privileges to stop-search the employees and go through their briefcases, pockets, and check what their phone can do; the result will be oppressive chaos.

The proper response is one of embrace and control, that if employees are going to make use of whatever technology [USB, iPod, WWW, Instant Messenger, 802.11, …], some facility needs to be made to filter and sanitycheck the means to which it can be put, and that you make the means and constraint transparent and well-advertised to your employees.

In short: be fair, and be wise. It might cost a little more in the short term, but will retain respect, employees and be more effective than the “ban everything” approach.

7 Replies to “Social Engineering, the USB Way”

  1. re: Social Engineering, the USB Way

    Well done to those guys; it’s about time a decent study was done and published on this threat.

    It also makes a great advertisement for SunRays, though – turn the USB ports off in the policy, as stored server-side and only modifiable from the appropriate account :-).

    Mind you, it would still also be necessary to somehow lock the network down so someone couldn’t pull a cable out of a SunRay and usefully plug it into their laptop; MAC address lockdown wouldn’t be good enough, so whatever network ran through the office environment would have to be SunRay-dedicated rather than shared…

  2. re: Social Engineering, the USB Way

    Obviously, in a corporate environment disabling PC USB ports in the BIOS can be IT policy, not to mention locking the BIOS with a password.

    Alternatively, should USB devices be required (eg. image scanners), it is possible to enable limited ports, with monitoring software (such as Sanctuary Device Control) to ensure the ports are used for permissible purposes alone.

    (I have no connection with SanctuaryWare)

  3. re: Social Engineering, the USB Way

    Well, seeing as the PS/2 mouse and keyboard ports are going the way of the Dodo very quickly, turning off teh USB ports won’t be an option soon.

    A better solution would be to remove the driver from the OS for USB disk devices and only allow USB HID devices to operate.

    (Or you run an obscure OS on the machines which won’t run anything found in a USB port even if it is in the correct executable format.)

  4. re: Social Engineering, the USB Way

    Being as I work at a university, it’s a bit impossible to implement consistent technical controls. On top of this; whatever controls you try to put in place are going to be ignored or bypassed if users don’t understand or agree with them. I’m leaning toward the opinion that going for the ‘teach them, don’t clamp them in irons’ will have better results.

    BTW: we may have met once. I used to work with Al & ‘Bob’. Say ‘Hi’ to Chris Samuel for me, if you’re still in touch.

  5. re: Social Engineering, the USB Way

    Hi Bridget – yes, I still have e-mail from the ‘junk’ list in 2001 with your name on it from Aston.

    Chris reads this occasionally so may respond directly – you can see his blog at csamuel.org; tragically I don’t get to see Bob any more, alas he has some issues to live with, ones which I am in no position to address.

  6. re: Social Engineering, the USB Way

    ps: back when I was sysadmin at Aber, I used to offer the students a stark choice:

    – find me a security bug, and I’ll buy you a beer.

    – exploit a security bug without telling me first, and I’ll have you kicked out of college.

    …worked pretty well.

  7. re: Social Engineering, the USB Way

    That could work seriously well (yes, I seem to be very bad at checking back to see if someone’s responded to my comment!).

    Cheers,

    B

    PS: Is junk still going?

Leave a Reply

Your email address will not be published. Required fields are marked *