Vulnerabilities / Threats

5/10/2016
08:15 AM
100%
0%

10 Years Of Human Hacking: How The USB Way Evolved

After a decade of clicking without consequence, users still haven't gotten the message about the dangers of rogue USB devices with malware hidden inside.

When my piece "Social Engineering the USB Way" ran in 2006, the intent was to create awareness about endpoint security and how plugging something into your computer could result in severe consequences. As a penetration tester, I hoped those who became victim to the exploit would learn a valuable lesson. Since then, my company has performed hundreds of similar tests, tempting users with USB devices in numerous ways. Needless to say, the results were always interesting.

As users started to become educated about rogue USB drives, we changed the rules by purchasing memory sticks branded with their company name and logo. Sometimes we attached them with a lanyard also printed with the corporate insignia. In some cases, we placed them on the desks of individual users, and in other instances, we physically mailed them to the individual. In all scenarios, users still plugged the devices in and ran whatever exploit we stored on the drive. 

Read how it all started when Steve Stasiukonis, in 2006, turned a socially-engineered thumb drive giveaway into a serious internal threat. The piece was one of the most popular reads in Dark Reading history.

When our ability to place devices in the hands of users became a problem we focused on different delivery methods. Rather than trying to drop them on their desks or mail them to users, we shipped bulk packages. In some cases, we sent hundreds of corporate-branded USB memory sticks to targeted departments within a company. We would often place a note in the package, instructing the recipient that these devices were approved by the information technology department and should be distributed to all employees. In almost every instance, they always complied with our request. 

One particular test was very interesting. Our client had been monitoring two packages that had been unopened for several weeks. We shipped one parcel to his West Coast operation and another to his office in the east. 

Our client’s frustration would soon be replaced by panic. I called him to get the status on the West Coast parcel when he explained that he could not find it. While scouring the building, he entered the commissary to see almost every employee wearing our poisoned USB devices and customized lanyards around their necks. Like a mad man, he started going from person to person, tearing them off. 

When I asked about the East Coast package, our client indicated the situation was worse. His East Coast counterpart was watching that package and noticed it had gone missing. They investigated the disappearance, and learned the marketing group had taken our poisoned parcel of USB devices to a well-known industry trade show as free swag for their booth. Fortunately, everything was collected before the attendees of the show were given any of the infected trinkets.

Our social engineering testing began to morph into a physiological experiment. As users clicked on our poisoned thumb drive content, we began displaying a command prompt indicating, “You should not have done that.” Within the prompt, we would also display their IP address, machine name, user name, and our signature logo of a skull-and-cross keyboards. The content displayed would also be sent to the IT department. Our goal was to see if they would call IT in hopes of admitting they had done something that could be a problem for their employer. 

Our results were surprising. We learned that users in a variety of company positions rarely ever called IT about our message. We also found they would repeat their actions. In one case, a VP at a major company clicked on our exploit multiple times to display our message, yet he never called IT!  When the opportunity prevailed, we asked users why they didn’t alert IT.  Only one answer seemed to be genuine. The user responded by saying, “As long as the machine seemed to be functioning fine, why should I bother calling IT?" 

Our user’s honest comment was frightening, but made sense. Why get a tongue-lashing by IT for not following policy if everything was OK? Clicking without consequence clearly has been learned by users.  Although with a plague of CryptoLocker malware becoming more and more prevalent, I suspect this behavior will be changing quickly. Unfortunately, the poor IT guys will be forced to deal with the burden of restoring users machines from backups, or converting dollars to Bitcoin to meets the capture demands.

Related Content:

 

 

Steve serves as president of Secure Network, focusing on penetration testing, information security risk assessments, incident response and digital investigations. Steve has worked in the field of information security since 1997. As a part of that experience, Steve is an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nouvomarketing
50%
50%
nouvomarketing,
User Rank: Apprentice
5/24/2016 | 1:23:13 PM
Old Computer Lab..
My old computer lab in college got hit with a virus. Everybody in the department had their information on usb drives. So, everybody would plug in their usb drives at least once a day. Plus, going around to countless other computers. It was just a matter of time.. The social experiment sounds fun though. Can you buy "poisoned" usb's.. :)
Forkeded48
50%
50%
Forkeded48,
User Rank: Apprentice
5/11/2016 | 4:40:00 PM
USB Way
Thanks for this very interesting article. Plugin something to your computer is always dangerous because of the numerous virus.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/11/2016 | 8:44:15 AM
Too afraid
Alas, behold my tale of woe.  My living quarters and office are filled with USB drives from conferences and whatnot that I'm simply too afraid to use.  :p
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
5/10/2016 | 4:21:55 PM
USB (flash) from the past
It's striking that this social engineering ploy still works so well, a decade later. But I guess that's true of most social engineering exploits, and that's the scariest part.
BertrandW414
100%
0%
BertrandW414,
User Rank: Strategist
5/10/2016 | 2:56:30 PM
Re: I will resist the temptation
... and to go down the path you started: "STD" could also stand for "Software-Transmitted Disease"! :-)
pdembry950
100%
0%
pdembry950,
User Rank: Apprentice
5/10/2016 | 12:01:14 PM
I will resist the temptation
"...how plugging something into your computer could result in severe consequences." I am not going to take the bait and make a joke about this. No not going to do it even though I have several friends who have plugged something into somewhere and have suffered severe mental and financial consequences :-)!
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1848
PUBLISHED: 2018-12-14
IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ...
CVE-2018-1977
PUBLISHED: 2018-12-14
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032.
CVE-2018-18006
PUBLISHED: 2018-12-14
Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.
CVE-2018-18984
PUBLISHED: 2018-12-14
Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.
CVE-2018-19003
PUBLISHED: 2018-12-14
GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails...