[ISN] Free CDs highlight security weaknesses

InfoSec News isn at c4i.org
Tue Mar 14 03:13:28 EST 2006


By Jeremy Kirk
IDG News Service

To office workers trudging to their cubicles, the promotion looked
like a chance at sweet relief from the five-day-a-week grind.

By simply running a free CD on their computers, they would have a
chance to win a vacation. But the beguiling morning giveaway in
London's financial district last month was more nefarious than it

Like flies to garbage, dozens of victims took the CD, unable to
control the irresistible attraction of "free."

Secret agents behind enemy lines, the CDs piggybacked through
companies' physical security systems tucked in the bags and pockets of
their couriers. The office workers dutifully took the CDs to their
desks and plopped them in their employers' computers.

The mission was complete.

In the process, the CDs likely skirted an array of IT security systems
in place to prevent malicious code from being installed. Although the
CDs did not contain malicious code, the exercise accomplished the
point Robert Chapman wanted to make: People are misinformed about what
actions could damage their computers or expose them to malware, adware
and viruses.

"All these things are bypassed by human nature and curiosity and a
level of ignorance and naiveté," says Chapman, director of The
Training Camp Ltd., a computer training and consulting firm based in
London, who came up with the idea. "The lure of a free holiday entices
them more than the potential damage that they may make to their
corporate network."c

When a user ran the CD, the code on it prompted a browser window that
opened a Web site, Chapman says. The site then tried to load an image
from another Web site, Chapman says.

The number of people who opened the CD could be tracked by the number
of times the image was accessed, he says. Users saw only an error
message saying the page could not be loaded, he says.

"There is nothing clever about it or illegal," Chapman said of the
CD's code.

Although the front of the CD contained a written warning to users to
check their company's internal security guidelines before running it,
as many as 75 of the 100 CDs were played. Chapman says he was able to
trace the IP addresses of those computers that tried to access the
image and found that employees at two well-known insurance companies
and a retail bank were among the duped.

Chapman declines, however, to identify the names of those companies.

The experiment underscores what experts say is the weakest point for
IT security: people. Many companies have policies and make their
employees sign legally binding documents containing the rules for
using company computers, but it's doubtful users get specific training
on why those rules are in place, Chapman says.

Firewalls can block incoming hacking attempts, but most default
firewall settings allow outbound traffic, Chapman says. If malicious
code was already in the system, it might not be blocked by the
firewall, allowing for the transmission of data from inside the
computer, he says.

Chapman says he surprisingly didn't get any angry calls from rankled
systems administrators. "I was half-expecting something like that to
happen, but I hope people realize that this is being done with a good
heart," he says.

More information about the ISN mailing list