[Web4lib] Big Flash Drives (snooping)

Tom Keays tomkeays at gmail.com
Tue Jun 13 12:04:50 EDT 2006


Bruce Schneier's Security blog has a recent entry on "Hacking
Computers Over USB".

http://www.schneier.com/blog/archives/2006/06/hacking_compute.html

He quotes an article by Simson Garfinkel, "Attack of the iPods!" in CSOonline.

Plug an iPod or USB stick into a PC running Windows and the device can
literally take over the machine and search for confidential documents,
copy them back to the iPod or USB's internal storage, and hide them as
"deleted" files. Alternatively, the device can simply plant spyware,
or even compromise the operating system. Two features that make this
possible are the Windows AutoRun facility and the ability of
peripherals to use something called direct memory access (DMA). The
first attack vector you can and should plug; the second vector is the
result of a design flaw that's likely to be with us for many years to
come.

He also references "Social Engineering, the USB Way" from DarkReading.

We recently got hired by a credit union to assess the security of its
network. The client asked that we really push hard on the social
engineering button. In the past, they'd had problems with employees
sharing passwords and giving up information easily. ...

The client also indicated that USB drives were a concern, since they
were an easy way for employees to steal information, as well as bring
in potential vulnerabilities such as viruses and Trojans. Several
other clients have raised the same concern, yet few have done much to
protect themselves from a rogue USB drive plugging into their network.
I wanted to see if we could tempt someone into plugging one into their
employer's network. ...

 We gathered all the worthless vendor giveaway thumb drives collected
over the years and imprinted them with our own special piece of
software. I had one of my guys write a Trojan that, when run, would
collect passwords, logins and machine-specific information from the
user's computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the
credit union's internal users. I made my way to the credit union at
about 6 a.m. to make sure no employees saw us. I then proceeded to
scatter the drives in the parking lot, smoking areas, and other areas
employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch
the employees show up for work. Surveillance of the facility was worth
the time involved. It was really amusing to watch the reaction of the
employees who found a USB drive. You know they plugged them into their
computers the minute they got to their desks. ...

After about three days, we figured we had collected enough data. When
I started to review our findings, I was amazed at the results. Of the
20 USB drives we planted, 15 were found by employees, and all had been
plugged into company computers. The data we obtained helped us to
compromise additional systems, and the best part of the whole scheme
was its convenience. We never broke a sweat. Everything that needed to
happen did, and in a way it was completely transparent to the users,
the network, and credit union management.


More information about the Web4lib mailing list