[ISN] Social Engineering, the USB Way

InfoSec News isn at c4i.org
Fri Jun 9 12:42:47 EDT 2006


By Steve Stasiukonis
JUNE 7, 2006

We recently got hired by a credit union to assess the security of its
network. The client asked that we really push hard on the social
engineering button. In the past, they'd had problems with employees
sharing passwords and giving up information easily.  Leveraging our
effort in the report was a way to drive the message home to the

The client also indicated that USB drives were a concern, since they
were an easy way for employees to steal information, as well as bring
in potential vulnerabilities such as viruses and Trojans. Several
other clients have raised the same concern, yet few have done much to
protect themselves from a rogue USB drive plugging into their network.  
I wanted to see if we could tempt someone into plugging one into their
employer's network.

In the past we had used a variety of social engineering tactics to
compromise a network. Typically we would hang out with the smokers,
sweet-talk a receptionist, or commandeer a meeting room and jack into
the network. This time I knew we had to do something different. We
heard that employees were talking within the credit union and were
telling each other that somebody was going to test the security of the
network, including the people element.

We figured we would try something different by baiting the same
employees that were on high alert. We gathered all the worthless
vendor giveaway thumb drives collected over the years and imprinted
them with our own special piece of software. I had one of my guys
write a Trojan that, when run, would collect passwords, logins and
machine-specific information from the user's computer, and then email
the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the
credit union's internal users. I made my way to the credit union at
about 6 a.m. to make sure no employees saw us. I then proceeded to
scatter the drives in the parking lot, smoking areas, and other areas
employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch
the employees show up for work. Surveillance of the facility was worth
the time involved. It was really amusing to watch the reaction of the
employees who found a USB drive. You know they plugged them into their
computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if
anything was received at his end. Slowly but surely info was being
mailed back to him. I would have loved to be on the inside of the
building watching as people started plugging the USB drives in,
scouring through the planted image files, then unknowingly running our
piece of software.

After about three days, we figured we had collected enough data. When
I started to review our findings, I was amazed at the results. Of the
20 USB drives we planted, 15 were found by employees, and all had been
plugged into company computers. The data we obtained helped us to
compromise additional systems, and the best part of the whole scheme
was its convenience. We never broke a sweat. Everything that needed to
happen did, and in a way it was completely transparent to the users,
the network, and credit union management.

Of all the social engineering efforts we have performed over the
years, I always had to worry about being caught, getting detained by
the police, or not getting anything of value. The USB route is really
the way to go. With the exception of possibly getting caught when
seeding the facility, my chances of having a problem are reduced

You've probably seen the experiments where users can be conned into
giving up their passwords for a chocolate bar or a $1 bill. But this
little giveaway took those a step further, working off humans' innate
curiosity. Emailed virus writers exploit this same vulnerability, as
do phishers and their clever faux Websites. Our credit union client
wasn't unique or special. All the technology and filtering and
scanning in the world won't address human nature. But it remains the
single biggest open door to any company's secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and
see for yourself how long it takes for human nature to manifest

- Steve Stasiukonis is VP and founder of Secure Network Technologies Inc.   
  Special to Dark Reading

More information about the ISN mailing list