Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Social Engineering, the USB Way

Those thumb drives can turn external threats into internal ones in two easy steps

We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network.

In the past we had used a variety of social engineering tactics to compromise a network. Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.