DATE: July 18 - 19, 2006
LIVE EVENT: A Survey of Computer Forensics Tools ...
LOCATION: San Francisco, CA
Register Now
Home > Dark Reading Column > Host security

Social Engineering, the USB Way

JUNE 7, 2006 | We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network.

In the past we had used a variety of social engineering tactics to compromise a network. Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Social Engineering, the USB Way
ID Subject Rank User Date
41 Re: Taking care of the ... ericob 06/28/06 01:11 AM
40 Re: This is why Windows ... thewalrus7 06/27/06 03:49 PM
39 Re: This is why Windows ... beamzer 06/22/06 05:29 AM
38 Re: I'm Only Thinking ... samhenry 06/16/06 04:38 PM
37 Re: I'm Only Thinking ... SRPMP 06/15/06 05:55 PM
36 USB blues cflaherty 06/15/06 05:06 PM
35 Re: GateKeeper SRC 06/15/06 02:05 PM
34 GateKeeper snoopd405 06/14/06 11:18 PM
33 Re: I'm Only Thinking ... tculler 06/14/06 02:07 PM
32 Re: Taking care of the ... rljames 06/14/06 09:56 AM
31 This is why Windows ... bc3tech 06/13/06 12:02 PM
This board does not reflect the views of Dark Reading or Light Reading Inc. These messages are only the opinion of the poster, are no substitute for your own research, and should not be relied upon for trading or any other purpose. The anonymity of the user cannot be guaranteed.
Sponsored by
RSA Security
DR's Host Security Update
Single Sign-On Drives Increased Password Strength and Reduced Help Desk Calls - By RSA Security  6/19/2006
Single Sign-on: Putting an End to the Password Management Nightmare - By RSA Security  6/19/2006
Best Practices in Authentication: The First Step in the Path to Regulatory Compliance - By RSA Security  6/19/2006
The Need to Authenticate VPN Users with Two-Factor Authentication - By RSA Security  6/19/2006
The 2006 Wireless Security Survey of New York City - By RSA Security  6/19/2006
Selecting an Enterprise Single Sign-on Solution: Eight Key Factors for Evaluating Enterprise Single Sign-on Solutions - By RSA Security  6/19/2006
CSI/FBI: Violations, Losses Down  7/12/2006
Device Drivers at Risk  7/12/2006
Single Sign-On Drives Increased Password Strength and Reduced Help Desk Calls - by RSA Security  6/21/2006
Single Sign-on: Putting an End to the Password Management Nightmare - by RSA Security  6/21/2006
Security Threat Management: The New Wave of Challenges and Opportunities*  6/29/2006
How to Reduce the Cost & Complexity of Patch Management  6/22/2006
If You Build It, They'll Crash It  7/7/2006
New Terrorist Profile: Phone Users  6/13/2006
Barracuda Spam and Spyware Firewall
Reclaim your Network. Stop Spam, Spyware and Viruses at the gateway. The leading solution.
Free White Paper on Mobile Data Protection
Hundreds of thousands of laptops are lost or stolen every year, leaving companies exposed to significant risk. Learn best practices for selecting an encryption solution to protect all your critical data. Click here to download.
Prevent Information Leaks from your Network
The GTB Inspector is a hardware appliance, preventing leaks of confidential data from a network. It is installed easily and transparently on the network edge. Resellers and channel partners are accepted.
Do you value your clients’ privacy?
Email encryption utilities for security conscious professionals. Integrates with many popular email programs and software applications! Free 30-Day Trial!
The IT Compliance Conference - Oct. 2-4, 2006
Come to the IT Compliance Conference in Washington, DC, to discuss the major IT issues that underlie compliance, risk management, and governance programs. Conference features: strategy and implementation tracks, ask-the-auditor panel, & much more...
Dark Reading's repository of intel on IT security. More of a 'megabase' than a database, Dark Entries lets you dig for information, or share your expertise. The choice is yours, grasshopper.
Vulnerability: Juniper JUNOS
Published: 2006-07-12
Severity: LOW
Description: Memory leak in
Juniper JUNOS 6.4 through 8.0,
built before May 10, 2006,
allows remote attackers to
cause a denial of service
(kernel packet memory
consumption and crash) via
crafted IPv6 packets whose
buffers are not released after
they are processed.

Vulnerability: MamboXChange SimpleBoard
Published: 2006-07-12
Severity: HIGH
Description: Multiple PHP
remote file inclusion
vulnerabilities in Simpleboard
Mambo module 1.1.0 and earlier
allow remote attackers to
execute arbitrary PHP code via
a URL in the sbp parameter to
(1) image_upload.php and (2)

Vulnerability: BosDev BosClassifieds Classified Ads
Published: 2006-07-12
Severity: HIGH
Description: Multiple PHP
remote file inclusion
vulnerabilities in
BosClassifieds Classified Ads
allow remote attackers to
execute arbitrary PHP code via
a URL in the insPath parameter
to (1) index.php, (2)
recent.php, (3) account.php,
(4) classified.php, or (5)

Vulnerability: Sport-slo Advanced Guestbook
Published: 2006-07-12
Severity: MEDIUM
Description: Multiple cross-
site scripting (XSS)
vulnerabilities in
guestbook.php in Sport-slo
Advanced Guestbook 1.0 allow
remote attackers to inject
arbitrary web script or HTML
via (1) name and (2) form

Vulnerability: PHPCredo PHCDownload
Published: 2006-07-12
Severity: MEDIUM
Description: SQL injection
vulnerability in category.php
in PHCDownload 1.0.0 Final and
1.0.0 Release Candidate 6 and
earlier allows remote attackers
to execute arbitrary SQL
commands via the id parameter.

Antivirus  |  Application Security  |  Attacks / Exploits / Threats  |  Authentication  |  Browser security  |  Buffer overflows  |  Cisco  |  Computer crime  |  Disk encryption  |  Encryption  |  End-user monitoring   |  Financials  |  Firewalls  |  Host intrusion prevention  |  Host Protection  |  Industry Trends   |  Law enforcement  |  Legal & Regulatory Topics  |  Legislation  |  Malware  |  Market Research  |  McAfee  |  Messaging Security  |  Microsoft  |  NAC  |  Patch management  |  Perimeter Security  |  Phishing  |  Policy management  |  Rootkits  |  RSA  |  Security Administration / Management  |  Security Industry  |  Security Services  |  SIM/SEM  |  Social engineering  |  Spyware  |  Storage Security  |  Stored data losses  |  Symantec  |  Trojans  |  User privacy  |  Viruses  |  VOIP security  |  VPNs  |  Vulnerabilities  |  Vulnerability assessment  |  Vulnerability Management  |  Vulnerability management  |  Worms
Dark Reader Weekly Newsletter
Dark Reading Daily Newsletter
Copyright © 2000-2006 Light Reading Inc. - All rights reserved.
Aventail (3), CA (5), Check Point (9), Cisco (17), Enterasys (3), F-Secure (2), HP (1), IBM (5), Intel (2), ISS (3), Juniper (8), Lucent (1), McAfee (13), Microsoft (137), Nokia (1), Nortel (5), Oracle (4), RSA (9), Secure Computing (5), Sun (3), Symantec (34), Trend Micro (2), VeriSign (3)

Application and Perimeter Security (Sponsored by Microsoft)
802.11x (7), Anomaly detection (3), Anti-spam (9), Application quality assurance (3), Application scanning (6), Auditing (3), Buffer overflows (13), CERT (3), Consultants (2), Cross-site scripting (8), Database encryption (3), Digital vaults (2), DOS (10), EAP/LEAP (2), Email gateways (3), Encryption (14), Filtering (9), Firewalls (39), FIRST (1), HIPAA (15), Host-based IDS (3), Host/server configuration (3), Host/server encryption (1), IDS (4), IDS (21), IM (6), IPS (26), ISO 17799 (4), Key management (7), Least-privilege user (1), License management (9), Malware (77), NAC (32), Network IDS (7), NIST (4), OWASP (3), OWASP (5), Patch management (28), PCI (7), Penetration testing (7), Phishing (51), PKI (4), Rootkits (10), SAML (1), Software metering (1), Source-code auditing (4), SOX (17), SSL (20), VPNs (41), Vulnerability assessment (14), Web App Security Consortium (3), Web App Security Consortium (2), Web application firewall (10), Web services security (11), WLANs (22), Worms (26), WPA (5), XML (4)

Discovery and management
Anomaly detection (3), Application scanning (6), Black Hat (1), COBIT (5), Consultants (2), Content filtering (16), End-user monitoring (19), Filtering (9), FISMA (5), HIPAA (15), Host intrusion prevention (21), Host-based IDS (3), IDS (21), IDS (4), IPS (26), ISACA (1), ISO 17799 (4), Log aggregation (1), Network IDS (7), OWASP (5), OWASP (3), PCI (7), Penetration testing (7), Penetration testing (2), SAML (1), SIM/SEM (14), Source-code auditing (4), SOX (17), Vulnerability assessment (14), Vulnerability management (42), Web App Security Consortium (3)

Host security (Sponsored by RSA Security)
802.11x (7), Anti-spam (9), Antivirus (21), Application quality assurance (3), Authentication (49), Backup security (8), Biometrics (13), Buffer overflows (13), Digital certificates (5), Disk encryption (6), DRM (11), Encryption (6), End-user monitoring (19), File/folder encryption (9), HIPAA (15), Host anti-spam (5), Host anti-spyware (1), Host antivirus (6), Host intrusion prevention (21), Host-based IDS (3), Host/server configuration (3), Host/server encryption (1), Host/server patching (3), IEEE (3), IM (6), ISO 17799 (4), Least-privilege user (1), License management (9), NAC (32), P2P management (3), Patch management (28), PGP (3), Port control (1), Rootkits (10), Single sign-on (15), Smart cards (10), Software metering (1), SOX (17), Spyware (25), TCG (3), Tokens (9), Trojans (32), User privacy (47), Viruses (31), Worms (26), WPA (5)

Security services
Agency application (2), Application quality assurance (3), Application scanning (6), COBIT (5), Consultants (2), FISMA (5), HIPAA (15), ISO 17799 (4), Managed services (39), PCI (7), Penetration testing (2), PKI (4), Policy management (28), SIM/SEM (14), Source-code auditing (4), SOX (17)

Storage Security
AES (4), Backup security (8), COBIT (5), Database encryption (3), DES (1), Digital vaults (2), Disk encryption (6), Encryption (14), File/folder encryption (9), FISMA (5), HIPAA (15), Host/server encryption (1), Identity management (17), ISO 17799 (4), Key management (7), Law enforcement (38), Legislation (38), Offsite backup (6), PCI (7), PKI (4), SOX (17), Stored data losses (29), Triple DES (1), User privacy (47)

Wireless Security
802.11x (7), AES (4), Auditing (3), COBIT (5), DES (1), Digital certificates (5), Digital signatures (2), DOS (10), EAP/LEAP (2), FISMA (5), HIPAA (15), Host/server encryption (1), IEEE (3), IETF (2), ISO 17799 (4), Key management (7), NAC (32), Network IDS (7), PCI (7), Penetration testing (2), PKI (4), Port control (1), Tokens (9), Triple DES (1), VPNs (41), Vulnerability assessment (14), WLANs (22), WPA (5)